Author Archives: privacynewshighlights

18-25 March 2016

Canada

CA – Trudeau Doubles Counter-Radicalization Spending, Zip for SIRC

The Canadian government is doubling its support for programs to prevent radicalization, but couldn’t find any new cash for the overworked agencies that keep tabs on the country’s spies. Amid controversy last year over Justin Trudeau’s support for anti-terrorism Bill C-51, the Liberals pledged to create an office that would tackle radicalization. In its first budget this week, the government revealed the new office of the Community Outreach and Counter-radicalization Co-ordinator will receive an additional $35 million over five years. The officials say the domestic anti-radicalization money supports “a whole-of-government approach” that involves the RCMP, CSIS, border agents, local governments and community groups. [Source] See also: [Ottawa Citizen: PM Says Not ‘At War’ but Increases Use of Hated C-51 Powers]and [Angus Reid Survey Finds Huge Support for C-51]

CA – Canada Endorses Deal to Share Canadian Banking Records with IRS

Two Liberal cabinet ministers who had criticized a controversial agreement to provide Canadian banking records to the U.S. Internal Revenue Service now say they support the deal. Speaking on the way into a cabinet meeting, Treasury Board President Scott Brison and Transport Minister Marc Garneau rallied behind the position adopted last week by Revenue Minister Diane Lebouthillier, supporting the deal struck under the Harper government that saw 155,000 Canadian banking records shared with the IRS last September. [iPolitics] [Revenue Minister Asked to Testify on Records Transfer to IRS]

CA – Could Take Up To a Year to Swear-in a New BC Privacy Commissioner

Premier Christy Clark’s cabinet may appoint a temporary replacement for B.C.’s privacy watchdog, after the abrupt departure of commissioner Elizabeth Denham caught MLAs who were planning to re-appoint her by surprise. Denham told government this week that the United Kingdom had nominated her as its new information commissioner, and she would leave her B.C. post when her term expires on July 6. The all-party committee of the legislature is now faced with the potentially lengthy process of launching a global search for her replacement, which the committee’s deputy chair admits may not be finished before Denham leaves in July. The normal procedure would be for the all-party committee to make a unanimous recommendation to the legislature, and the legislature to affirm that choice. But if the committee can’t agree on a name before Denham leaves in July, cabinet has the power to slot its own candidate as acting commissioner. That person would serve until the committee makes its choice. The entire process, including legislative confirmation, could take up to a year if government doesn’t convene a fall session. [Source] [BC’s Info and Privacy Watchdog Departs for Britain] [B.C. privacy commissioner Elizabeth Denham moving on to bigger things ]

CA – Alberta Court Finds It Is Not Urgent or Necessary for Law Society to Review a Former Member’s Phone and Computer Records

The Law Society of Alberta sought an order compelling Justin Sidhu to produce records in compliance with the Legal Professions Act. An order compelling access to a former member’s cellphone and computer records following his conviction on charges drug trafficking is denied; if the conviction is upheld on appeal that would be proof of the misconduct and therefore the need for the information is neither urgent nor necessary at this time. [Law Society of Alberta v Sidhu – 2016 ABQB 142 CanLII]

CA – Nunavut Making Little Progress on Access to Info Changes

The Government of Nunavut’s efforts to make the administration of its municipalities more transparent has stalled. That’s because consultations with community governments on how to bring their operations under the Access to Information and Protection of Privacy Act are at a “standstill,” according to Nunavut government documents. “In the past year, consultations with municipalities have been at a standstill due to capacity issues within the ATIPP office,” the GN said in a document tabled March 15 in the Nunavut legislature. In the document, the GN responds to 11 recommendations made by a standing committee of MLAs, which reviewed the 2014-15 annual report by Nunavut’s information and privacy commissioner. [Source]

CA – SCC to Hear 2nd Case Involving Jurisdiction and the Internet

On March 10, 2016, the Supreme Court of Canada granted leave on a second recent case involving jurisdictional issues and the internet: Douez v. Facebook, Inc., 2015 BCCA 279. Douez involved a BC resident plaintiff who sought to sue Facebook for a breach of privacy arising from the use of her name and her portrait without her consent. The proposed class action suit would be based on a claim that Facebook’s practice of featuring the name and image of individuals in relation to certain advertisements amounted to a breach of s. 3 of BC’s Privacy Act—a statutory cause of action which only applied within BC. At first instance, the BC Supreme Court concluded that BC was a proper jurisdiction, was not forum non conveniens, and granted certification. However, on appeal that certification was dismissed. The result on appeal arose from a forum selection clause in the Facebook Terms of Use. Applying the established test from Z.I. Pompey Industrie v. ECU-Line N.V., 2003 SCC 27, the BC Court of Appeal concluded that there was not “strong cause” to decline to enforce the forum selection clause, and therefore stayed the proceeding. As with the recent leave to appeal granted in the Equustek case, the Douez decision explores an important aspect of court jurisdiction over disputes involving online conduct. Where Equustek examined cases not governed by binding terms of service, Douez will provide some parallel insight into situations where terms of service purport to limit the ability of Canadian courts to address online disputes, particularly where such terms may come into conflict with geographically limited causes of action. Given the similar jurisdictional issues raised as between Douez and Equustek, and the proximity in time that the cases were granted leave, it is likely that the court will hear and consider both matters together. [Mondaq]

Encryption

US – House Lawmakers Launch Encryption Working Group

The Chairmen of two House Committees have announced the creation of an encryption working group to examine the complicated legal and policy issues surrounding encryption; the group will identify potential solutions that preserve the benefits of strong encryption while also ensuring law enforcement has the tools needed to keep Americans safe and prevent crime. The House Judiciary Committee and Energy and Commerce Committee have primary jurisdiction over encryption and the issues it presents for citizens, law enforcement, and American technology companies. [Committee on Energy & Commerce] [FCW]

EU Developments

UK – ICO Releases 12 Step Guide on the GDPR

The UK Information Commissioner’s Office released its first guidance on the General Data Protection Regulation (GDPR): the 12 steps that businesses can start taking now to prepare for the GDPR. The ICO also launched a new microsite on the GDPR. Here is a summary:

  • Ensure awareness amongst key stakeholders in the organisation.
  • Document the personal data that they hold, where it came from and with whom they share it.
  • Review current privacy notices and put a plan in place for making any necessary changes.
  • Check existing procedures to ensure that they cover all the rights data subjects now have.
  • Look at the various types of data processing they carry out, identify and document legal basis.
  • Ensure process and procedures are documented – to help demonstrate compliance with the accountability requirements. [Source] [Press Release] [blog entry]

EU – EDPS Releases Guidance on Information Security Risk Management

The European Data Protection Supervisor has released new guidance on Information Security Risk Management, “which advises EU institutions on how to ensure a secure and trustworthy digital environment for the information that is essential for the functioning of their services.” “The security of personal data is a legal requirement, but it is also necessary in the interests of organisations that rely on the use of information for their daily business … I urge the hierarchies in the EU institutions to engage in the tailored development and use of information security risk management processes to address the specific needs of their organisation.” [EDPS Press Release]

EU – Other European Privacy News

Finance

CA – MasterCard and Bank of Montreal Launch ‘Selfie Pay’

Bank of Montreal customers who use MasterCard to make online purchases will be taking selfies for a whole new reason this summer, as BMO becomes the first Canadian bank to support MasterCard’s new Identity Check mobile app, colloquially known as “selfie pay,” the companies announced. So far, around 200 BMO employees with corporate credit cards have been signed up for the biometric-based feature, which complements the company’s existing MasterPass service by using facial recognition and fingerprint scanning technology to verify online payments. [IT Business]

FOI

CA – Revised Edition of Sedona Canada Principles is Published

The Sedona Canada Principles are revised in a second edition. Principle 2 (proportionality) has been revised to create a 5-part test for applying the “reasonableness” principle; principle 7 (electronic tools) recommends that the parties agree in advance on the tools to be used, and principle 11 (sanctions) is revised to recommend that the Court consider sanctions where a party fails to meet its discovery obligations. [New Edition of the Sedona Canada Principles for E-Discovery – Kirsten Thompson, Partner, and Nolan Hurlburt, Associate, McCarthy Tetrault]

CA – OIPC BC: Records Fall Outside the Scope of FIPPA and Can Be Withheld

The OIPC BC reviewed a decision by the Office of the Police Complaint Commissioner to deny access to records requested pursuant to FIPPA. For records to be except from FIPPA, due to provisions under the Police Act, they must relate the operational records, but not administrative records; based on the video evidence provided the records at issue are operational records of the Police Complaint Commissioner because they are part of a specific case file and relate to the exercise of the Police Complaint Commissioner’s functions under the Police Act. [OIPC BC – Order F16-13 – Office of the Police Complaint Commissioner]

Health / Medical

US – Next Phase of HIPAA Audits Has Begun

The government’s Phase 2 HIPAA audits began March 21. Phase 2 will consist of 200 desk and on-site audits of both covered entities and business associates. The compliance audits are intended to determine if health-care organizations and their contractors are complying with HIPAA privacy and security rules. The first phase of the HIPAA audits was conducted as a pilot program in 2011 and 2012, focused solely on covered entities, while Phase 2 will include both covered entities and business associates. The desk audits are expected to be completed by December, while the more comprehensive on-site audits will begin later in the year. The OCR has reached nine major settlement agreements regarding HIPAA breaches since last March, resulting in a total of $11 million in fines. Some of the lessons learned as a result of the OCR’s enforcement efforts, included the need for companies to:

  • safeguard all paper records, even if most records have migrated to an electronic format;
  • maintain business associate agreements with all business associates;
  • perform a comprehensive risk analysis of all sources of protected health information, not just electronic health records; and
  • translate the results of a risk analysis into a robust risk management plan.

[OCR fact sheet on the Phase 2 audits] [BNA]

US – GAO Identifies Healthcare.Gov Security Weaknesses

The Government Accountability Office released a report identifying several weaknesses in the security of Healthcare.gov. In a span stretching from October 2013 to March 2015, the Centers for Medicare & Medicaid Services reported 316 security-related incidents affecting the site. The breaches mostly consisted of mailing sensitive information to the wrong recipients and the probing of CMS systems by potential attackers. Despite CMS’ efforts to protect the privacy and security of the data maintained through the systems supporting Healthcare.gov, the GAO noted various trouble spots, including faults in technical controls that could place sensitive information at risk for unauthorized disclosure and controls that protect data flowing through data hubs. The GAO, however, noted that hackers did not successfully compromise any personally identifiable information during that span. [Full Story]

US – Two Hospitals Held For Ransom

Hackers held the computer systems of two California-based Prime Healthcare Services’ hospitals for ransom last week. A Prime Healthcare spokesman said that the incident didn’t cripple the internal systems, hospitals remained “operational,” and the FBI is investigating the incident. While not elaborating on the ransom, he called the situation “similar to challenges hospitals across the country are facing.” Meanwhile, Chubb’s Global Cyber Risk Practice announced the launch of a ransomware service for policyholders. “Many businesses are not equipped to deal with a cyber-extortion attempt, where the timeliness of the response is even more critical,” said Global Cyber Risk. [Kaiser Health News]

WW – Diagnosis by Smartphone Risks Patient Confidentiality: Researchers

Doctors who photograph skin conditions using unsecured, personal mobile phones could be breaching patient privacy. In an article in the Medical Journal of Australia, researchers say using telemedicine for diagnosing dermatological conditions was popular because it sped up treatment and improved patient outcomes, particularly in regional areas where there are few specialists. However doctors and medical institutions endangered patient privacy, as well as their own indemnity insurance and confidentiality clauses of their employment contracts, if they failed to protect confidential patient records by using unsecured mobile phones and emails. [Source]

Internet / WWW

WW – GPEN Issues 2016 Annual Report

The Global Privacy Enforcement Network (“GPEN”), an informal network of 59 privacy enforcement authorities in 43 jurisdictions around the world, has released its 2015 annual report. Highlights:

  • Launched GPEN Alert, a new information sharing system that enables participating authorities to better coordinate international efforts in protecting consumer privacy.
  • 18 teleconferences held in the Atlantic and Pacific regions to connect authorities and to build and share expertise. Two face-to-face meetings in Ottawa and Amsterdam
  • Third annual Privacy Sweep spotlighted the privacy practices of websites and apps targeted specifically at, or popular with, children. [Report]

Law Enforcement

UK – Police Create Mega Crime Database for “Predictive Policing”

The police are to consolidate a number of their large databases into a single “platform” in order to “protect victims and spot potential links to other crimes.” The plans for a “National Law Enforcement Data Programme” were announced by the Home Office this week and will bring together data from the Police National Computer, Police National Database and Automatic Number-Plate Recognition (ANPR) systems “onto a single platform.” However, last year the legality of the ANPR database – which collects a “record for all vehicles passing by a camera… including those for vehicles that are not known to be of interest at the time of the read“ – was called into question by the Surveillance Camera Commissioner. The National ANPR data centre now holds information on 22 billion car journeys. Other measures contained within the Modern Crime Prevention Strategy (PDF) include an “explicit focus on data and technology” and the use of “predictive policing”. [Source] [UK tech industry welcomes government’s new anti-crime strategy]\

US — Study: Punishments for Police Database Misuse Should Increase

Police who abuse official law enforcement databases must receive stronger penalties, says a civilian oversight agency. A study by the Denver Office of the Independent Monitor documented 25 cases of the city’s police misusing the database in the past 10 years. “These databases contain vast amounts of personal information about the American public, including community members in Denver,” said the agency’s Independent Monitor. “When they are misused, reprimands are not commensurate with the seriousness of that violation, and may not be strong enough to deter future abuse.” [New York Times]

CA – Retired Police Chief Keeps (Unwiped) Work Devices

The City of Hamilton Police Services Board did not delete sensitive data from former Chief Glenn De Caire’s police-issued laptop and mobile phone, items he was able to keep post-retirement. This potential oversight sparked privacy concerns, but law enforcement officials say there’s nothing to fear. “I don’t know whether he downloaded anything,” said the Police Services Board Chair Lloyd Ferguson. “I trust Glenn and I don’t know whether he would’ve saved anything to the hard drive.” That problem is bigger than that, argued Ryerson University’s Ann Cavoukian. “It’s not that we don’t trust the former police chief. It’s that accidents happen,” she said. “I don’t want to suggest otherwise, but nonetheless this material has to be governed by strict policies and protocols.” [CBC Hamilton]

CA – Ontario Provincial Police Investigating Unlawful Prison Surveillance

Correctional Service Canada’s use of surveillance inside a federal prison has sparked an official investigation by the Ontario Provincial Police and a lawsuit from the jail guards. Officials used cell-site simulators, or IMSI catchers, to locate prisoners’ contraband cellphones, but the technology also grabbed private data from the guards’ cellphones as well. Indiscriminate surveillance programs can be considered a violation of the Criminal Code, but lawyers argue that this may be tricky to prove, as there is a lack of legal precedent that exists for prison surveillance. Regardless, “CSC officials have recently stopped giving statements to lawyers pursuing the civil suit,” the report adds. [The Globe and Mail]

Online Privacy

US – Medical Organizations, Facebook Sued in Class Action

In a new class-action lawsuit, plaintiffs claim Facebook spied on users who relayed private health information on major cancer institutes’ websites in order to make profit off the data in advertising revenue. Winston Smith has sued Facebook, the American Cancer Society, the American Society of Oncology and five others alleging Facebook uses the private health data it takes from the medical institutes’ websites, which feature a secret “Facebook code” capable of transmitting users’ data to the social media site, to create targeted advertising campaigns. [Courthouse News Service]

WW – Facebook Appeals to Advertisers Seeking Certain Groups Via Race-Based Marketing

Facebook’s has launched new race-based marketing campaigns. In a recent campaign, ads for N.W.A.’s “Straight Outta Compton” were served in different ways to three different audiences: black, white or Hispanic. Facebook calls it “ethnic affinity” targeting, and it’s been pushing it since 2014. It appeals to advertisers seeking a certain group. But Facebook users aren’t required to declare their racial or ethnic identity in their profiles. A Facebook executive explained that to construct a profile of a user’s identity, the company looks at “indicators” like your interests, friends and organizations you belong to. [Ars Technica]

WW – Adobe Unveils Cross-Device Targeting Co-Op

Adobe has announced plans for cross-device targeting, which would not only notify technologists when the same individual is using different devices, but also provides companies a new way to target ads. To do so, members of the new Adobe Marketing Cloud Device Co-op will share data with each other. “So if Company X has been able to use login data to establish that two devices belong to the same person, other members of the co-op take advantage of that fact and tailor their advertising accordingly.” The plan has sparked privacy concerns, but Adobe said the participating advertisers must opt-in, and the shared data is not personally identifiable. [TechCrunch]

WW – The Impact of Your Data Footprint

It’s no mystery to most privacy professionals, but the impact one’s data footprint can have on everyday life is beginning to be well chronicled in mainstream media. Fast Company published a long-form work on the myriad decisions that are made via personal data, often without the data subject’s knowledge. From the presence of police in your neighborhood (or not) to the potential dates you’re presented with on your dating site of choice to the job you are offered (or not), the report details how data may be impacting your life experiences. The article’s conclusion? “[E]thical considerations need to be guiding us.” [Full Story]

Other Jurisdictions

AU – NSW Statutory Cause of Action for Invasions of Privacy?

The NSW Legislative Council Standing Committee on Law and Justice has recommended in its report Remedies for the serious invasion of privacy in New South Wales the establishment of a statutory cause of action for serious invasions of privacy. The Committee recommended that, in establishing the statutory cause of action, it should be based on the Australian Law Reform Commission’s (ALRC) model detailed in its 2014 report Serious Invasions of Privacy in the Digital Era (which was the subject of considerable focus during the Committee’s inquiry). The report’s recommendations were made by MPs from four parties, including those of the Coalition, so this is clearly an idea in the mainstream of NSW political thought. Nothing will happen, however, until the NSW Government’s response to the report, which is expected by 5 September 2016. [Clayton Utz Insights]

Privacy (US)

US – FTC Fines Data Broker $4,000,000 for Selling Sensitive PI Without Consent

The FTC entered into an agreement with Sitesearch Corporation et alia following alleged violations of the FTC Act. The data broker is permanently restrained from selling, transferring, or otherwise disclosing a consumer’s sensitive personal information to any third party without consent, it must not misrepresent that a consumer has authorized or consented to the purchase of a product or service, or the nature or terms of any refund, cancellation, exchange, or repurchase policy. [FTC v. Sitesearch Corporation – Final Judgment and Order for Injunctive and Other Relief – United States District Court for the District of Arizona]

US – NY Contractor Fined $3.1M for Outsourcing Government PI to India

A New York contractor will pay $3.1 million and undergo oversight for the next five years for violating a contract that involved outsourcing the personal information of millions of individuals to a company in India. Focused Technologies Imaging Services was tasked with digitizing 22 million files maintained by the State Division of Criminal Justice Services, which included fingerprints, Social Security numbers, signatures and dates of birth. For $82,000, the company shipped the files of millions of individuals to an Indian-based company for processing. Though the state contract required Focused Technologies’ employees pass background checks prior to processing as an added protection for the records, the company to which the records were outsourced did not conduct background checks on its employees. [The New York Times]

US – Hulk Hogan Wins $115M in Privacy Invasion Case

A jury awarded former wrestler Hulk Hogan $115 million (About $1,138,613 per second) after finding that news site Gawker violated his privacy by publishing a sex tape of Hogan without his consent. The jury awarded Hogan $60 million for emotional distress and an additional $55 million for economic damages, with the possibility of more. “This is a victory for everyone who has had their privacy violated,” said Hogan’s attorney. University of Miami School of Law professor Mary Anne Franks said, “People are thinking a little bit more about the concept of what is newsworthy, because what’s changed is the concept of who a public figure is.” The case comes a week after sports reporter Erin Andrews won $55 million for having her privacy violated by a stalker. [Reuters]

US – Gawker Hit With $25 Million in Punitive Damages

A Florida jury ruled that in addition to its $115 million fine, Gawker must pay $25 million in punitive damages for posting wrestling star Hulk Hogan’s sex tape online without consent. The jury also required the news outlet’s CEO Nick Denton to pay a $10 million fee. “I think we made history today, because I think we protected a lot of people today who may be going through what I went through,” Hogan said. The company said it would appeal the ruling. “We are confident we will win this case ultimately based on not only on the law but also on the truth,” Gawker said in a statement. [Reuters]

Privacy Enhancing Technologies (PETs)

US – Tool Puts Users in the Data-Access Driver’s Seat

Massachusetts Institute of Technology and Harvard University research teams are developing a tool that gives mobile users the “final say” on how and when their data is accessed by applications. The cryptography-based program, called Sieve, encrypts and stores user information in the cloud, dispensing data-access requests to the user when an application wants to employ the data. [ZDNet]

Security

US – Study: Cybersecurity Pros Hesitant to Share Threat Intel

A new McAfee Labs survey of 500 private-sector companies indicated that more than a third of cybersecurity professionals “remain hesitant” to share threat intelligence with members of other industries. 63% of respondents would participate in reciprocal threat sharing. The problem, according to the study, lies in companies’ “misunderstanding” of the information appropriate to share. “When an organization begins to implement a [cyber-threat intelligence] sharing effort, it runs afoul of policies that dictate that no confidential data or [personally identifying information] can leave the organization. This is, of course, generally a good policy but the lack of understanding of the content being shared becomes self-defeating in this case.” [FedScoop]

US – OMB Study: 77,000 Cyber Incidents Hit Government in 2015

An Office of Management and Budget annual performance review found that 77,000 “cyber incidents” befell the U.S. government in 2015, a 10% increase from 2014. The study defines these incidents as “a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard computer security practices,” and names the government’s increased ability to identify data breaches and employee security gaffes as partly responsible for the larger total, the report states. Regardless, “malicious actors continue to gain unauthorized access to, and compromise, federal networks, information systems, and data,” the study said. [Reuters]

Surveillance

US – NYCLU Says Cities Free Wifi Building ‘Massive Database’

When New York started replacing its pay phones with wifi kiosks in January, the new free internet access was met with a great deal of excitement, particularly over the network’s speed. The beta launch included just a dozen wifi hubs, but the city plans to convert 7,500 phone booths over the next few years so that free wifi is as ubiquitous as the yellow taxi in New York. But now, concerns about privacy are beginning to emerge. The New York Civil Liberties Union (NYCLU) accused the city of using its new public wifi system, LinkNYC, to “build a massive database,” complaining that the company behind the program, CityBridge, can keep a vast amount of information about wifi users, per its privacy policy. “In order to register for LinkNYC, users must submit their e-mail addresses and agree to allow CityBridge to collect information about what websites they visit on their devices, where and how long they linger on certain information on a webpage, and what links they click on. CityBridge’s privacy policy only offers to make “reasonable efforts” to clear out this massive amount of personally identifiable user information, and even then, only if there have been 12 months of user inactivity. New Yorkers who use LinkNYC regularly will have their personally identifiable information stored for a lifetime and beyond.” The group sent a letter to Mayor Bill de Blasio’s office enumerating their concerns about the vagueness of the privacy policy. The letter lists three main concerns: how long user data will be retained, unclear language about government requests for user data, and whether the “environmental sensors and cameras” that sit on the new wifi hubs will feed into the Domain Awareness System, a city-wide police surveillance network. As of late 2013, 57 cities had municipal wireless systems of some sort, a number that has and will continue to grow.  [Fusion]

Telecom / TV

US – FTC: We’ll Be Watching for TV Habit-Tracking Apps

The FTC is advising mobile app developers that it has its eye on technology that could allow phones to monitor TV viewing habits and relay that to targeted third-party advertisers. In a blog post this week, the FTC pointed out it was sending letters—from the associated director of the Privacy and Identity Protection division—to app developers whose apps use software created by Silverpush that runs in the background and enables phones to “listen” for embedded audio signals in TV programs to determine what TV shows or ads are playing (sort of like a Shazam for TV content), even when the app is not being actively used. The app “could” create a log of such TV content. [Source] [FTC Raps Android Developers For Using SilverPush Software]

Workplace Privacy

US – Study: Employees Deserve Privacy Laws

In a forthcoming California Law Review paper titled “Limitless Worker Surveillance,” the authors argue that the government should establish employee surveillance protection laws that would balance an employer’s right to efficiency and a worker’s right to privacy in an increasingly connected world. “While employers have a reasonable interest in ensuring the productivity of their workers and in dissuading misconduct in the workplace, that interest does not outweigh the human right to privacy and personal liberty in domains that have been traditionally considered as separate from work and the workplace,” the research states. They dub their proposed law the “Employee Privacy Protection Act,” and maintain that the same legal protections should be extended to health care workers, as well. [Information Week]

+++

 

08-18 March 2016

Biometrics

CA – Researchers Considering Iris Biometrics to Help Homeless Get Healthcare

A Canadian research project is looking at the use of iris recognition to help homeless people get around the problem of accessing healthcare without proper identification. The iris recognition project will begin later this month with researchers asking those at select temporary shelters whether they’d be comfortable having their iris image captured to be used as a form of ID. An algorithm developed by engineering students at Western University will turn those images into a number that will become the test subjects’ unique ID numbers. Ontario NDP member of provincial parliament Peggy Sattler said, “This (project) is not intended to stigmatize homeless people. It will shed light on how this could work and it can help homeless people have access to health care.” In fact, the technology could also be expanded for all Ontarians, Sattler said. “There are 100,000 more OHIP (Ontario Health Insurance Program) numbers than there are Ontarians.” “Eventually, you could get an iris scan at your doctor’s office and it would go into some kind of database, and every time you access health care, you don’t need a card.” Details about the storage and protection of the biometric data have yet to be worked out. [London Free Press]

Big Data

WW – Twitter, Dove Using Data to Raise Body-Shaming Awareness

Dove unveiled the newest development in its #SpeakBeautiful campaign last week, a tool developed with Twitter that tracks a user’s body-centric buzzwords on the site. The tool issues a link to a user’s own “custom microsite” after they retweet Dove’s official content. The microsite then shows users their own Twitter data, comparing how their “negative tweets stack up to other women.”“ [AdWeek]

Canada

CA – OPC Outlines Recommendations for Modernizing the Privacy Act

The Privacy Commissioner of Canada welcomes a Parliamentary committee review of the Privacy Act and has unveiled his priorities for modernizing the law governing how the federal government handles personal information, which has remained largely unchanged since it was proclaimed in 1983. The OPC recommended changes under three broad themes: Responding to technological change, legislative modernization and the need for transparency. The Privacy Act should be amended to

  • Require that all information sharing be governed by very explicit written agreements;
  • Create an explicit requirement for institutions to safeguard personal information, as well as a legal requirement to report breaches to the OPC;
  • Broaden the grounds to seek a Federal Court review to include all contraventions of the Privacy Act, not just denials of access to personal information;
  • Require government departments to consult the OPC on bills that impact privacy before they are tabled in Parliament;
  • Allow the OPC to report in a more timely and proactive manner on the privacy practices of federal institutions, beyond annual and special reports to Parliament; and
  • Extend the application of the Privacy Act to all government institutions, including Ministers’ Offices and the Prime Minister’s Office.

Commissioner Therrien also urged Parliament to consider regulating the collection, use and disclosure of personal information by political parties, but noted the Privacy Act is probably not the best instrument to do this. [Commissioner Therrien’s full statement]

CA – Alberta Privacy Commissioner Aims to Bring Non-Profits Under Provincial Privacy Legislation

The AB OIPC has recommended to the standing committee on Alberta’s economic future that nonprofits should comply with privacy legislation. The Calgary Sun reports that more than 20,000 nonprofits have been exempted from complying with privacy legislation. Privacy Commissioner Jill Clayton wants to eliminate this exemption as her office was only able to address 9% of the privacy complaints it received regarding nonprofits last year. [Calgary Sun]

CA – Nova Scotians Not Keen on Tech Saving Them Money on Car Insurance

Several insurance companies in Nova Scotia are offering a program that allows people to save up to 25% on their car insurance, but few people are opting to take part, according to OTC insurance and the Insurance Bureau of Canada. In order to apply for the discount, people have to volunteer to install what’s known as a telematics device in their car. The small device is installed under a car’s steering wheel and records an individual’s driving habits for six months. The device records things like driving distances, the time of day the car is driven, and sudden acceleration or braking. At the end of the six months the device is turned over to the insurance company and it uses the data to determine if the user should get a discount on their insurance. “We’ve been advertising quite heavily on the radio and seems like people are very leery about having this device in their vehicle for the insurance companies to look at.” David Fraser, a privacy lawyer, has mixed feelings about telematics. “Once this information is generated, it exists and it can be used for other purposes. It can be subpoenaed in connection for with a lawsuit, the police could get a search warrant and it just adds to the amount of digital debris that we leave behind in the run of the day.” He also questions how accurate the information will be and how it will be interpreted. [CBC News]

CA – BC Law gives Coroners Wide Power to Protect Privacy of the Dead

The BC Coroners Service has refused to release the medical records of a murder victim asserting the deceased still has privacy rights. There aren’t any Freedom of Information and Protection of Privacy Act provisions that compel “public bodies … to disclose certain types of information,” said Michelle Mitchell, communications officer for the Office of the Information and Privacy Commissioner for British Columbia. “Therefore, it is not within the commissioner’s powers to require a public body to include specific kinds of information in a report,” she added. [Vancouver Sun]

CA – Trudeau Agrees to Hand Over Even More Data About Travelers to the US

Justin Trudeau’s pilgrimage to Washington has produced one clear result. Canada’s new Liberal government says it will push through a long-delayed plan to share with Washington biographic and other information on Canadian citizens travelling overland to the U.S. The Americans, in turn, will reciprocate. [Source] [US Travel cheers expansion of Border Preclearance Program in Canada] The announcement came as a sidenote to the climate change strategy announced by the two leaders, with fanfare, in DC on last week. “The government of Canada has assured the U.S. it will complete the last phase of a coordinated entry and exit information system so the record of land and air entries into one country establishes an exit record from the other,” the statement from the two leaders reads. Obama framed the deal around stemming the flow of foreign fighters between the two countries — even though evidence for that supposed trend appears to be non-existent — but the effects of the deal could impact the privacy rights of all cross-border shoppers, tourists, and anyone else who crosses the world’s largest land border. The entry/exit deal dates back to the 2011 ‘Beyond the Border’ plan to boost security and reduce trade restrictions between the two countries. The 2011 plan commits the two countries to “establish coordinated entry and exit systems at the common land border” and “exchange biographical information on the entry of travelers, including citizens, permanent residents, and third country nationals” whenever they cross one country into the other. But that part of the plan never came into force, at least not as envisioned. Canada began sharing information with its American counterparts on all third-country nationals — border-crossers who were neither American nor Canadian — but never began doing so for its own citizens, even though it committed to start in June 2014. [Source] [Op-Ed: Canada to share information with U.S. on land border crossers] [Canada, U.S. to share more passenger information ] [Trudeau quietly agrees to share info on Canadians with U.S.]

CA – CSIS Head Says New Powers to Disrupt Plots Used Almost 2 Dozen Times

The head of Canada’s spy agency told a Senate committee that his agency has used its extraordinary powers to disrupt extremist plots close to two dozen times since the fall of 2015. Michel Coulombe, director of CSIS, made the admission to the national security and defence committee, revealing for the first time how frequently this power was used. Canada’s spy agency was granted the power to disrupt suspected plots rather than just relay information about those plots to the federal government and the RCMP when Bill C-51 became law this past summer. [CBC] [CSIS hasn’t crossed line with controversial new powers under Bill C-51, director tells Senate committee]

CA – Toronto Fire/Paramedic Services to Post Emergency Call Data Online

City councillors are getting ready to make vital information about fires and medical emergencies available to the public. A council committee approved two motions this week to have the fire and paramedic services make data from their LiveCAD system — which tracks calls for help in real time — open for the public to see and download. Both were instructed to work with the city’s legal department to make the information available without compromising the privacy of Torontonians. One solution proposed to the committee, for example, was releasing the nearest major intersection to each incident rather than the specific address. [Source]

CA – Regina Police Posting Photos of Potential Witnesses, Suspects and Victims

Can you identify this individual? That question is written under photos of various people, usually appearing in security camera footage, posted on the Regina Police Service’s website. Most of the pictures are of men and women entering stores, walking down aisles or buying something at a cash register. A form underneath the photos allows someone to leave a confidential tip. In some photos, police have put more information about why they are seeking someone, usually because they are a suspect in a crime. But in others, no information about why police want to talk to the individual is provided. The practice began shortly after police started posting photos of individuals wanted on outstanding warrants to its website in February. When explaining the “Can You Identify” page, a separate section of the website, police stress the individuals appearing there are not necessarily suspects in a crime. Once the individual has made contact with police, their photo is taken off of the website. Walter said police have had success with the initiative, and some of the individuals have turned out to be suspects. Before beginning the practice, the RPS consulted its legal counsel through the City of Regina. The approval was given on the basis that a person in a public space does not have the expectation of privacy, and their image is not considered personal information. What police are doing is legal, but it still doesn’t sit well with the Canadian Civil Liberties Association. “It’s not clear what they were suspected of doing, or why the police are seeking them. And once the police locate them, it may turn out that these individuals are innocent. However, other members of the community could assume that someone being sought by the police is guilty of some kind of wrongdoing, and this stigma is particularly troubling given how long images can stay on the Internet,” said Berger. [Leader-Post]

CA – Federal Government Launches Consultations on Breach Notification

On March 9, 2016 the Department of Innovation, Science and Economic Development Canada released a discussion paper on the new data breach regulations being proposed to PIPEDA pursuant to the Digital Privacy Act (Bill S-4). The Ministry is accepting public submissions until May 31, 2016 on the proposed Data Breach Notification and Reporting Regulations. The discussion paper not only solicits comments, it identifies issues that may arise in respect of certain regulatory approaches. Following this consultation process, the Canadian Government will publish draft regulations for public comment and further consultation. It is unlikely that we would see breach reporting come into force in Canada before the last quarter of the year. [Source] [Industry Canada] [Discussion document] [Source]

Consumer

WW – How Canadians Feel About Data and Privacy (Survey)

Concern about data privacy and security is down among consumers across the globe, but companies still have a long way to go to earn their trust, according to a new study from SAS. The analytics company conducted an online survey of more than 4,300 adults in 15 countries, including Canada. Globally, 63% of respondents said recent events like hacks and data breaches of government agencies and financial websites have heightened their concerns around sharing personal information, down from 69% in SAS’s 2014 survey. In Canada, 64% of consumers report concern about what businesses do with their personal data; 24% of respondents feel they have no control at all over what businesses do with their information, and only 13% believe they have total control. [Mobility, Vulnerability and the State of Data Privacy] [Marketing Magazine]

US – Time, Mansueto Ventures Sued for Alleged Data-Selling Practices

The ability to sell subscriber information to third parties is at the center of two separate lawsuits. Plaintiffs maintain that both Time Inc., the company behind magazines People and Sports Illustrated, and Mansueto Ventures’ data usage violated their respective states’ privacy legislation. “Unfortunately for its subscribers, Time supplements its sales and advertising revenue by secretly selling their statutorily protected information — including their full names, titles of magazines subscribed to and home addresses (collectively ‘Personal Reading Information’) — to data miners and other unrelated third party companies,” one suit reads. [NY Post]

US – Don’t Post About Me on Social Media, Say Children

Recently, university researchers asked children and parents to describe the rules they thought families should follow related to technology. In most cases, parents and children agreed — don’t text and drive; don’t be online when someone wants to talk to you. But there was one surprising rule that the children wanted that their parents mentioned far less often: Don’t post anything about me on social media without asking me. [New York Times]

E-Government

CA – Canada: Federal Government Lagging on Online Services, Documents Warn

The federal government is lagging behind both private sector offerings and Canadians’ expectations in online services, internal documents warn. A full 77% of federal services still cannot be completed over the Internet. Services like passport applications, requesting access to government information, or obtaining proof of citizenship all require in-person treks to Service Canada locations or mailed application forms. A minority of services, like filing taxes or updating pension information, can be done online through government websites. In addition to raised expectations, the documents note that it takes a long time for the sprawling federal bureaucracy to implement changes in how it delivers services. [Source]

US – California Judge Reverses Court Order on Student Information Release

A federal judge tweaked her initial court order for the release of sensitive student data to a statewide parent group of special education advocates March 1, as a result of a “large number of objections” from parents who mailed in opt-out forms to the U.S. District Court in Sacramento. [The ruling] In her March 1 order, U.S. District Court Judge Kimberly Mueller noted the large number of objections to the potential release of student data received by the court following the posting of the “Notice of Disclosure of Student Records” on Feb. 1. In response, the court ordered that the CDE maintain custody of the most sensitive of its databases—the California Longitudinal Pupil Achievement Data System (CALPADS)—while running searches for information requested by the plaintiffs. The court also reiterated that no student’s personally identifiable information may be released to the plaintiffs unless and until they demonstrate to the satisfaction of the court that the method to be used to store the sensitive student data is secure, the CDE noted. The parties are still litigating the extent of the disclosure of student data. [Morgan Hill Times] See also: [Special ed court case causes stir] [Teachers union supports opt-out option]

E-Mail

CA – Claim that Minister Doesn’t Use Email Adds Questions About B.C. Libs Compliance With FOI Laws

The B.C. finance minister has joined a growing list of senior provincial government officials who either claim they do not use email or who have been caught routinely deleting their emails. The practice has gained prominence following freedom-of-information requests by the media and a damning report by the OIPC BC, which rebuked the Liberal government for failing to adequately create and maintain records. It also singled out specific staff for routinely “triple deleting” emails as a means of permanently destroying records. BC Premier Christy Clark responded with a public statement. “The practice of ‘triple-deleting’ will be prohibited, ministers and political staff will continue to retain sent emails and a new policy and specific training will be developed,” she said in a December 16 media release. Clark also said the government would “study and consider the establishment of duty to document”. According to his press secretary, “(Finance) Minister de Jong has the longstanding practice of requiring information such as briefing notes, decision notes, memos and other correspondence to be delivered to him through his office on paper, rather than to an email account,” it reads. “His choice not to receive information or hold conversations by email is a matter of personal preference as a way to manage and prioritize the volume of information his portfolio already entails,” the statement continues. De Jong’s aversion to the world’s most common form of interoffice communication puts him in good company among Liberal government senior staffers. On December 16, the Straight reported that the premier herself had essentially stopped using email. [Vancouver free press] [Finance Minister Mike de Jong doesn’t do email, says premier — and that’s OK with her] See also: [FOI response suggests B.C. Premier Christy Clark has basically stopped sending emails] and [NDP cites evidence of emails deleted from top government accounts, including premier’s]

CA – Former BC Staffer Charged in E-Mail Deletion Probe

A former B.C. government employee who allegedly deleted e-mails involving the Highway of Tears has been charged with two counts of willfully making false statements to mislead, or attempt to mislead, the province’s information and privacy commissioner. The B.C. Criminal Justice Branch announced the charges Friday – approximately 4 1/2 months after Commissioner Elizabeth Denham released a scathing report that said Premier Christy Clark’s government routinely thwarted freedom-of-information requests through tactics such as triple-deleting e-mails. The charges were laid under FIPPA. Mr. Gretes faces a maximum fine of $5,000 a count. [The Globe and Mail]

Electronic Records

AU – Updated eHealth Record System Still Sparks Criticism

The Australian government’s revised eHealth program, now dubbed “My Health Record,” still faces the criticism of privacy advocates. While this newer iteration of the Personally Controlled Electronic Health Record permits an opt-out function, critics like the Australian Privacy Foundation argue that the program lacked specific instructions for doing so. “There are many people who should be very careful about letting the government put lots of identifying information into a central database,” the APF said in a statement. [Computerworld] [Opt-out e-Health a ‘Fundamental Breach of Trust’: Victorian Regulator]

Encryption

UK – ICO Issues Guidance on Use of Encryption

The U.K.’s Information Commissioner’s Office has released a new set of encryption guidelines, urging companies to embrace the practice before it’s too late. Although encryption practices are relatively simple, companies “often have no idea whether their data is encrypted or not,” the report states. The ICO said in a blog post that while choosing to forgo encryption isn’t illegal, “the ICO takes the view that regulatory action may follow in cases where a lack of encryption has led to a loss of data,” resulting in a high number of fines and the loss of many a company’s reputation. [ZDNet] See also: [U.K.’s Investigatory Powers Bill would mean even small startups would be required to create backdoors to their systems] and [France Clears Bill That Could Force Apple to Unlock Terror Data] [A bill under consideration in France would impose powerful new penalties for companies that do not provide access to encrypted communications in terrorism-related investigations]

UK – Snooper’s Charter Would Require Even Startups to Build in Backdoors

Should the U.K.’s Investigatory Powers Bill pass through Parliament, even small startups would be required to “bake insecurities into their systems in order to be able to hack users on demand.” And, while Apple has been able to make public the fact that the FBI wants backdoor access in the U.S., the U.K. bill would require companies to keep quiet about law enforcement requests. “They built in systems that would force companies who have more than 10,000 users — which for a startup 10 years ago used to be a hard thing, now you can quite quickly collect 10,000 users no problem — so it’s a very low threshold,” said Privacy International’s Eric King. [TechCrunch]

US – EFF on Why FBI Can’t Force Apple to Sign Code

Code is speech: critical court rulings from the early history of the Electronic Frontier Foundation held that code was a form of expressive speech, protected by the First Amendment. The EFF has just submitted an amicus brief in support of Apple in its fight against the FBI, representing 46 “technologists, researchers and cryptographers,” laying out the case that the First Amendment means that Apple can’t be forced to utter speech to the government’s command, and they especially can’t be forced to sign and endorse that speech. In a “deep dive” post, EFF’s Andrew Crocker and Jamie Williams take you through the argument, step by step. [Source]

US – Encrypted WhatsApp Messages Frustrate New Court-Ordered Wiretap

The US Department of Justice has opened another legal front in the ongoing war over easy-to-use strong encryption. Prosecutors have gone head-to-head with WhatsApp, the messaging app owned by Facebook. Citing anonymous sources, the Times reported that “as recently as this past week,” federal officials have been “discussing how to proceed in a continuing criminal investigation in which a federal judge had approved a wiretap, but investigators were stymied by WhatsApp’s encryption.” The case, which apparently does not involve terrorism, remains under seal. [The New York Times]

WW – Google Adds Worldwide HTTPS Info to Transparency Report

Google has launched a transparency report specifically to track the progress of the Internet’s encryption efforts. The aim is in support of the general push to have encryption available everywhere. Even within the Google universe HTTPS is far short of 100% of traffic. Excluding YouTube traffic, but with Gmail, Drive, Search and increasingly Blogger and advertising traffic over HTTPs, only 75% of what’s served from Google domains is currently encrypted. Google will be updating that reporting each week, the company says. The second plank of the strategy is looking at Certificate Transparency: a public search interface letting users check that a certificate is valid and is being used correctly. [The Register]

EU Developments

EU – MEPs Vote Against Passenger Name Record Vote

Members of the European Parliament voted 7 March against placing the Passenger Name Record on the plenary session agenda, citing privacy objections. “It is true that the Council has never been particularly helpful on the legislative package related to data protection,” said French Socialist Delegation President Pervenche Berès. “But the fact that PNR has still not been adopted in March 2016, after it was promised for December last year, does not give a very good impression of the EU.” MEPs rejected placing PNR on the agenda for “fear a vote on PNR may allow member states to abandon the personal data protection package they have promised as a counterweight to the new surveillance powers.” [EurActiv] See also:

[some analysts are predicting the EU-U.S. Privacy Shield will not stand up to judicial scrutiny in Europe]

EU – EDPS Releases Case Law Overview

The European data protection supervisor has released a working document covering relevant privacy and data protection case law in the EU between Dec. 1, 2014 and Dec. 31, 2015. The case law pertains to the Court of Justice of the EU, European Court of Human Rights, and national courts of member states “on the right to the protection of personal data, the right to protection of private life, access to documents, and the right to freedom of expression,” the EDPS working document states. The overview also includes pending cases and is “intended to provide factual summaries of case law.” [Source]

Facts & Stats

US – Verizon Issues Data Breach Digest Report

Verizon has released a Data Breach Digest Report, a set of 18 case studies that comprise common scenarios that the majority of breaches fall into. The incidents include a water utility at which intruders managed to manipulate water treatment processes and flow; a developer who outsourced his work to China; and pirates (the seafaring variety) who used information stolen from a shipping company’s computers to target specific containers on vessels they boarded. [eWeek] [DarkReading] [Ars Technica] [CSO Online]

US – Businesses Reluctant to Report Attacks: Report

According to a report, Cyber Security: “Underpinning the Digital Economy,” from the Institute of Directors and Barclays bank, many organizations do not report cyberattacks to law enforcement. Just 28% of cyberattacks are reported. The report also found that while most business leaders believe cybersecurity is important, just half have established plans to protect themselves from attacks. [ZDNet]

CA – 53% Have Been ID Theft or Fraud Victims: Equifax Survey

More than half of Canadians (53%) say they have been a victim of financial fraud according to an Equifax Canada survey. Additionally, new data suggests that millennials (Generation Y) are increasingly the ideal target for fraudsters and organized crime syndicates. Throughout Fraud Prevention Month in March, Equifax Canada will work with the Canadian Anti-Fraud Centre (CAFC) to educate consumers, especially millennials about the impact of fraud and how to protect themselves. The CAFC estimates that mass marketing fraud losses to businesses and citizens has grown to greater than $10 billion annually, and it’s believed that almost 80% of all fraud is committed by organized crime groups. [Source]

Finance

US – FTC Wants Details on Credit Card Audit Practices

The FTC has issued orders to nine companies to share their Payment Card Industry Data Security Standards auditing practices, the agency said in a statement. The FTC aims to measure “the state of PCI DSS assessments,” the report states. The agency further hopes to gauge “the ways assessors and companies they assess interact” and to glean “information on additional services provided by the companies, including forensic audits.” [FTC]

FOI

CA – OIPC BC Orders Disclosure of 3rd Party Pricing Info Withheld by Public Body

The BC OIPC reviewed a decision by the Capital Regional District to withhold records requested pursuant to FIPPA. Disclosure of the information would not significantly harm the competitive position of the third party; the information does not directly state hourly rates, is not sufficiently detailed to reveal the hourly rates of individual personnel, and is dated information from 2009 and of limited use to competitors. [Order F16-05 – Capital Regional District]

CA – OIPC BC Orders Elections Body to Disclose Administrative Records

This OIPC order reviewed Elections BC’s refusal to disclose records requested under BC FIPPA. The administrative records are subject to FOI legislation and must be disclosed (e.g. job descriptions and a delegation matrix indicating who the Chief Electoral Officer has chosen to assist with his various functions); operational records do not fall under the legislation and may be withheld (e.g. an event plan that relates to the CEO’s planning of electoral processes, and memorandums of understanding related to the exercise of the CEO’s powers in relation to the prosecution of electoral offences). [Order F16-07 – Elections BC]

CA – OIPC SK Partially Upholds the Decision to Withhold Certain Records

The Saskatchewan OIPC reviews the decision of the Saskatchewan Arts Board’s to withhold records requested pursuant to The Freedom of Information and Protection of Privacy Act. The Board withheld records containing third party information which qualifies as advice, proposals, recommendations, analyses or policy options (such as, the analysis of and recommendations for issues faced by the Board, reports prepared for the Board which included advice and recommendations) that would be part of the Board’s responsibility and were prepared for the purpose of taking action or making a decision. [Review Report 154-2015 – Saskatchewan Arts Board]

Average Breach Falls Below Cyber Insurance Policy Deductible, Study Shows

An Advisen study, commissioned by ID Experts, found that the cost of the average data breach is less than most cyber insurance policies’ deductibles. “Most data breaches are small — consisting of fewer than 500 records lost,” the report states. “But most cyber insurance policies are set up to protect against large data breaches, with 90% of respondents having a deductible that is greater than $10,000.” As a result, more than 70% of those surveyed employ internal resources to clean up these smaller incidents. “There’s a lot of misconceptions around cybersecurity insurance — what it does, what it could do. It’s not for everyday occurrences.” [DarkReading]

CA – Commercial Liability Policies Likely Do Not Protect Companies from Data Breach Costs

A law firms examines why Commercial General Liability (CGL) policies may not protect companies in the event of a breach. The standard CGL policy usually requires “compensatory damages” to have been incurred, but the tort of breach of privacy does not require proof of damages; breach notification often requires legal assistance, which is not covered. U.S. case law suggests that CGL coverage for privacy-invasive “publication” does not apply to publication by third parties (e.g. hackers). [Breach: How New Types of Privacy Claims are Changing the Litigation Landscape – Daniel Reid, Associate, Harper Grey, Insurance Brokers Association of BC]

Genetics

UK – Police Hold DNA Profiles of 7,800 Terrorism Suspects

A police counter-terrorism database contains the DNA profiles and fingerprints of more than 7,800 identified individuals, an official government watchdog has revealed. The figure revealed by the biometrics commissioner, Alastair MacGregor QC, in his annual report last week, is far higher than any previous indications of the number of suspected terrorists in Britain. The commissioner reveals that the number of individuals whose DNA profiles and fingerprints are being logged on the little-known database as a result of counter-terrorism investigations is growing rapidly, having risen from 6,500 identified individuals in October 2013. The watchdog also reports that errors and delays in an official drive to delete the biometric records of those who have never been convicted of an offence – which account for 55% or 4,350 of those on the counter-terrorism database – have led to the destruction of a significant number of biometric records of terrorism suspects that should have been kept on national security grounds. In his second annual report, MacGregor says 1.7m DNA profiles and 1.6m sets of fingerprints have been deleted from the police national DNA database since the home secretary, Theresa May, introduced legislation in 2012 requiring the removal of details of those who have never been convicted of a criminal offence. He says the fact that the national DNA database still holds the biometric details of 12.5% of all men and 3% of all women in Britain and has not had any “demonstrably adverse impact” on its effectiveness; indeed, if anything, its overall “match” rate with DNA evidence found at crime scenes has gone up. But the commissioner raises serious concerns about the standalone national counter-terrorism police database. It has been quietly built up under powers in the Terrorism Act 2000 by collating DNA profiles and fingerprints gathered from searches, arrests and crime scenes during counter-terrorism investigations. MacGregor says he decided to publish the number of individuals on the counter-terrorism database after it was suggested to him in 2014 that to do so would be contrary to the interests of national security. He says he was “not wholly persuaded” by the argument and this year he sought and obtained agreement to disclose the number. [The Guardian]

Health / Medical

CA – Ont. Court Docs in Assisted Death Cannot Be Named by Press

An Ontario judge agreed to ban media from reporting the names of doctors for a Toronto man seeking assisted death, arguing that anonymity is needed to ensure health workers keep helping out in such cases. The ruling by Justice Thomas McEwen of the Ontario Superior Court also prohibits identifying the cancer patient and his family, citing the “intensely private and personal matter of his death.” A lawyer representing the National Post and other news media had objected to the scope of the ban requested by the 80-year-old man, saying it was important to make public the physicians’ names, partly to help identify any doctors who might “rubber-stamp” assisted-death requests. But the physicians and other health workers had asked to remain anonymous and they were justified in doing so, said Justice McEwen. “Their wish and concerns are entirely reasonable, in my opinion, given the publicity and controversy surrounding physician-assisted death,” said his 10-page decision. “This is a public interest of great importance … There may be a serious risk (with naming names) of impairing access to physicians willing to assist.” The judge also ruled the patient’s lawyer could edit out the required information from the court file before making it available to the media or their lawyers. [Source]

US – Study: Health Apps Pose Major Privacy Concerns

An Illinois Institute of Technology Chicago-Kent College of Law study of Android mobile apps for diabetes management found privacy practices wanting. “Many health apps transmit sensitive medical information, such as disease status and medication compliance, to third parties, including aggregators and advertising networks,” the report states. More than 80% of the apps had no privacy policies. An undefined legal landscape encourages these behaviors, the researchers argue. “Patients might mistakenly believe that health information entered into an app is private (particularly if the app has a privacy policy), but that generally is not the case,” they said. [CBS News]

EU – Estonian Citizens to Have World’s Most Hack-Proof Health-Care Records

Estonia is moving its citizens’ health records to a database, based on blockchain technology, that nobody can mess with. While financial institutions rave about the potential for blockchain—the technology that powers bitcoin—as a way to revolutionize the financial world, it can also help keep private data secure. A blockchain is essentially a digital ledger that, thanks to some computational tricks, records every change made to it indelibly. This means it can act as a database for health data. Whenever someone’s health records are accessed, that “event” is recorded on the blockchain, alongside what information was changed or added. That way, the information remains both secure and tamper-proof; nobody can change it without leaving traces. Eventually, there will be a dashboard for the public to see their own health records and any changes made to them. [Estonia using Blockchain to secure health records] [Estonian citizens will soon have the world’s most hack-proof health-care records] [Guardtime secures over a million Estonian healthcare records on the blockchain]

US – Senator Asks Privacy Regulators to Stop Abuse of Nursing Home Residents on Social Media

After a December 2015 ProPublica report documented more than 35 incidents involving employees at assisted living homes sharing photos of residents on social media, U.S. Sen. Tom Carper, D-Del., wrote the Department of Health and Human Services’ Office for Civil Rights asking what it’s doing to curb these instances. Of the photos, which often depict naked, ill residents, Carper said in a statement, “This type of abuse is unacceptable and falls short of our moral obligation to the ‘least of these’ in our society.” The OCR’s Deven McGraw said the office would reply to Carper’s inquiries. [ProPublica] See also: [Newfoundland health worker fired for privacy breach involving 25 patients]

Identity Issues

EU – EMA Published Guidance on De-Identification of Clinical Reports

The European Medicines Agency (EMA) has published guidance on the anonymization of clinical reports according to EMA policy on publication of clinical data for medicinal products for human use (EMA/240810/2013). Under the European Medicines Agency Policy 0070 for medicinal products for human use, manufacturers are required to submit anonymized versions of clinical reports to the agency, as well as a risk analysis report documenting how the risk of re-identification is considered sufficiently small. The specificities of the clinical data should be taken into consideration when selecting the most appropriate anonymisation technique (e.g. masking, randomisation or generalisation); a data controller must continuously follow development in re-identification techniques and, if necessary, reassess the risk of re-identification. These documents will then be made publicly available under two different data sharing mechanisms. Many manufacturers are now trying to figure out how to meet these requirements for their new submissions. [Source] [Webinar by Privacy Analytics – March 31, 2016). [European Medicines Agency – External Guidance on the Implementation of the European Medicines Agency Policy on the Publication of Clinical Data for Medicinal Products for Human Use]

Internet / WWW

UK – New Guide to Help Build Child Safety into Platforms

The U.K. Department for Culture Media & Sport has released a new guide designed to help organizations ingrain online child safety into Web and mobile businesses. The guide, Child Safety Online: A Practical Guide for Providers of Social Media and Interactive Services, uses the six principles of the ICT Coalition for Children Online safety framework, a European industry initiative to make online platforms safer for younger users. The principles include content; parental controls; dealing with abuse/misuse; child abuse or illegal contact; privacy and controls; and education and awareness. [Source]

Law Enforcement

CA – Vancouver Police Investigates Leak About Visiting Photographers

The Vancouver Police Department claims it is still investigating how a local website obtained an internal police bulletin and photographs of three men who were wanted for questioning after they were seen taking photographs at Pacific Centre Mall last January. “As this matter remains under investigation by the Vancouver Police, we are relying on section 15 of the Freedom of Information and Protection of Privacy Act to withhold records related to this issue.” Section 15 of the act consists of a number of provisions that allow government organizations to refuse to release information if doing so would be “harmful to law enforcement”. The Straight filed the requests in question after the local website published photographs that the website later said it had obtained from an internal police bulletin it had received from a member of the VPD. The original post published on January 14 included photographs of the three men wanted for questioning and quoted the VPD internal bulletin describing them as “men who look Middle Eastern”. The following morning, VPD chief Adam Palmer said the force was never planning to go public with a warning about the men. He explained the VPD only responded with information intended for the public after an internal report was leaked to media. The VPD subsequently released a statement that cleared all three men of any wrongdoing. [Source]

US – Use of Stingrays Violates Fourth Amendment: Court

The Maryland Court of Special Appeals upheld a historic decision by a state trial court that the warrantless use of cell-site simulators, or Stingrays, violates the Fourth Amendment. The trial had suppressed evidence obtained by the warrantless use of a Stingray – the first time any court in the nation had done so. Last April, a Baltimore police detective testified that the department has used Stingrays 4,300 times since 2007, usually without notifying judges or defendants. Stingrays mimic cellphone towers, tricking nearby phones into connecting and revealing users’ locations. Stingrays sweep up data on every phone nearby — collecting information on dozens or potentially hundreds of people. The ruling has the potential to set a strong precedent about warrantless location tracking. [Slashdot]

CA – Surveillance Device Used In Prison Sets Off Police Probe

Federal prison authorities are under criminal investigation for possible illegal surveillance. The probe centres on Correctional Service Canada’s use of a dragnet surveillance device inside a penitentiary. Fallout from the 2015 surveillance incident, involving a device that CSC officials called a “cellular grabber,” has led to a lawsuit from jail guards and a criminal inquiry by the Ontario Provincial Police. [Source]

CA – RCMP Fight to Keep Lid on High-Tech Investigation Tool

Police in Canada are fighting to keep secret the specifics of advanced technology they’ve used to spy on mobile phones in a criminal investigation into organized crime. Court documents filed in the Quebec Court of Appeal show government lawyers have acknowledged that the RCMP used an extraordinary communications-interception technique involving “mobile device identifier” equipment. But the Crown will be fighting to keep details of the operation under wraps during a court hearing scheduled for March 30 in Montreal. Chris Parsons, a researcher with the Citizen Lab at the University of Toronto’s Munk School, said this case “wouldn’t be the first time [these devices] have been used – but it would be the first time [authorities] have been caught out in court.” The public is bound to want to know more, Mr. Parsons said. “These are fundamentally devices of mass surveillance,” he said. [Source]

AU – Fears Policing Databases Will Be Exempt from Privacy Laws

National policing databases for firearms, domestic violence and child offenders will no longer be overseen by Australia’s privacy watchdog and could be exempt entirely from privacy laws if they are handed over to the Australian Crime Commission under proposed laws. The information commissioner, Timothy Pilgrim, has warned in a Senate inquiry submission that if a proposed bill to merge Crimtrac’s functions into the Australian Crime Commission is passed the data held by CrimTrac will no longer be subject to Australia’s privacy laws. The federal government has put forward bills that would see the secretive Australian Crime Commission, which has the power to conduct coercive interviews, essentially take over the functions of CrimTrac and other agencies. CrimTrac is the national policing organisation that holds major databases surrounding firearms, domestic violence, child offenders and missing persons. It also assists in the collection of biometric data for the immigration department. As a result it holds large quantities of personal information on millions of Australians. The agency will continue to be overseen by the commonwealth ombudsman and the Australian Commission for Law Enforcement and Integrity. But Pilgrim said the “scope of that oversight differs” from the specific privacy related oversight of the Office of the Australian Information Commissioner. [The Guardian]

Location

UK – Unmasking Banksy: Did ‘Predictive Policing’ Tool Catch An Artist?

A geographic profiling tool, developed to find serial criminals and terrorists, may have helped unmask the mystery identity of Banksy. Researchers say they have identified the elusive artist – creator of million-dollar works of political graffiti – as Robin Gunningham, supporting a theory published by Daily Mail in 2008. Scientists at Queen Mary University of London used a statistical tool to map 140 locations of Banksy’s works around Bristol and London and compare them to the homes of possible candidates, they wrote in the Journal of Spatial Science. That led them to Mr. Gunningham. This mathematical method of analysis, known as criminal and geographic profiling, is often used by law enforcement to identify serial criminals. The idea behind the technique is that people tend to commit crimes close to where they live. The technique has also been used to trace breeding sites for malaria outbreaks or to locate the roosts of wild bats, and the researchers suggested that what helped find one graffiti artist could also help locate terrorists. “More broadly, these results support previous suggestions that analysis of minor terrorism-related acts (e.g., graffiti) could be used to help locate terrorist bases before more serious incidents occur,” they wrote in their abstract. Not everyone accepts that geographical profiling can accurately pinpoint perpetrators, though it’s used by several US police departments. Data-fueled analytics also called “predictive policing,” has drawn considerable critics, arguing that the method is discriminatory and often targets minorities. “What data are they using? How are they weighing variables? What values and biases are coded into them? writes the Guardian. “Even the companies that develop them can’t answer all those questions, and what they do know can’t be divulged because of trade secrets.” “Police departments are opening the way for corporations to have disproportionate influence over what policing means in society. Technologies are not just neutral tools, and they are not divorced from politics; they are designed with certain values and goals in mind.” [Source] See also: [The Crime You Have Not Yet Committed]

Online Privacy

WW – Researchers Translate Privacy Policies into Layman’s Terms

A team of Stanford University, Carnegie Mellon University and Fordham University researchers — during a two-year span — simplified more than 20,000 privacy policies from nearly 200 websites into a more approachable and user-friendly form for their Usable Privacy Project . “Our objective is to produce succinct yet informative summaries that can be included in browser plug-ins or interactively conveyed to users by privacy assistants that inform users about salient privacy practices,” said Carnegie Mellon’s “principal investigator.” [SC Magazine]

WW – Google Agrees to Delist Links More Broadly For RTBF Compliance

Google will begin delisting links more broadly in order to better align with data protection authorities’ interpretation of the EU’s right-to-be forgotten mandate. Previously, the company said it wasn’t responsible for delisting links from Google.com and other non-EU search domains. Now, it will use geolocation data to “restrict access to delisted URLs on all Google search domains accessible from the country of the person making the delisting request,” the report states. Google Global Privacy Counsel Peter Fleischer said that, since the European Court’s ruling, the company has worked hard to find the right implementation balance. “Despite occasional disagreements, we’ve maintained a collaborative dialogue with data protection authorities throughout. We’re committed to continuing to work in this way,” he said. According to Fleischer, Google will apply its new policy retrospectively to all search results it has already delisted following RTBF requests. Google’s Transparency Report shows that the company so far has evaluated more than 1.4 million URLs for removal in response to nearly 399,000 RTBF requests. It has delisted about 43% of the links so far while leaving the remaining 57% in place. [eWEEK]

CA – Controversial Calgary-based App Peeple Launches

Curious about your kid’s soccer coach? Wondering what others think of that guy who asked you out? There’s an app for that. Sort of. The Calgary-conceived app Peeple, announced to a firestorm of controversy late last year, is finally launching Monday after retooling a number of features. Peeple will let users rate each other in three areas: personal, professional, and romantic. In a change from the original concept, reviews are only posted with the consent of the person being reviewed — that is, the service is opt-in and a user can hide their negative reviews. But a planned future paid subscription Cordray called the “truth license” — not available for Monday’s launch — will let users see all reviews, even hidden ones. [Calgary Herald] See also: [Fortney: Peeple app creator stands firm, in a bathroom] [and [‘You can’t possibly be that naive’: Dr. Phil delivers a folksy smackdown on Peeple app co-founder]

UK – ‘HAT’ trick: Service Allows Users to See and Trade Their Data

The Hub of all Things is a new service designed by U.K. researchers and aims to be the one-stop-shop for Internet users wanting to control who accesses their data and for how long. It’s a virtual personal data “store,” which allows users to see the data corporations store about them, then trade it, thus reaping the benefit of its value. Designers have launched an Indiegogo campaign to “mobilize a social movement to put the power of the Internet back into individual hands,” the report states. IOT data has “enormous value,” said HATDEX CEO Paul Tasker. “We believe that if all of us have our own HATs, we will have more power in the future to influence how our data is collected, stored and used; hugely benefitting ourselves and society whilst providing new opportunities to firms wanting to sell to us.” [ZDNet]

Other Jurisdictions

NZ – Privacy Commissioner Overwhelmed As Digital Generation Overshares

During a New South Wales parliamentary oversight committee meeting last week, Australian Privacy Commissioner Elizabeth Coombs argued to an oversight committee last week that expanding her role from part time to full time while increasing her office’s resources are necessary to expand the agency’s influence. “So much sharing of data was increasing the demand for her work,” the report states. It’s now “apparent that the digital generation cares about its privacy,” and as such Coombs “has welcomed the call for a significant expansion of her powers.” [The Sydney Morning Herald]

NZ – NSW Parliamentary Committee Backs New Privacy Laws for Individuals

The New South Wales Parliament’s Standing Committee on Law and Justice has announced its support of new legislation that would provide legal redress for individuals after a privacy breach. The laws would “fill gaps” left by the Commonwealth Privacy Act, as the legislation currently only applies to information and not small businesses or individuals, the report states. “The NSW committee has called on the state government to take a lead in the implementation of individualised privacy rules, in the face of ‘a lack of political will federally’ to put in place uniform national legislation,” the report continued. [iTnews]

NZ – NSW Pawnbrokers Association Criticizes MAC Address Requirement

New state laws require pawnbrokers to collect and store the MAC addresses of any Wi-Fi enabled tools that come through their stores. While police argue it will help track stolen devices, the NSW Pawnbrokers Association believes the requirements have “workability” and privacy problems, the report states. Customers are “averse to giving us that information if they don’t have to because they don’t want us to have access in that privacy sense,” said the association’s spokesman. “Some people don’t care — the computer is just a toy or a novelty item, but for others it’s a serious business tool … and they just don’t want people having unfettered access to that information.” [iTnews]

Privacy (US)

US – Apple Tells Judge that US Gov’t is Well-Meaning but Wrong in Privacy Fight

Apple filed its final court brief in the San Bernardino iPhone case. Apple softened its rhetoric against the Justice Department, which has been heated on both sides of the debate in the last few weeks. The 26-page brief is the last court filing by either side until they meet in court March 22. “The government’s motivations are understandable,” Apple wrote in its latest filing, “but its methods for achieving its objectives are contrary to the rule of law, the democratic process, and the rights of the American people.” According to the report, the Department of Justice said Apple was attempting to usurp power from the federal government, adding, “The Constitution and the laws of the United States do not vest that power in a single corporation.” [the Guardian]

US – Verizon Wireless to Pay $1.35 Million Fine to Settle U.S. Privacy Probe

Verizon will pay a $1.35 million fine and agreed to a three-year consent decree after the FCC said it found the company’s wireless unit violated the privacy of its users. Verizon Wireless agreed to get consumer consent before sending data about “supercookies” from its more than 100 million users, under a settlement. The largest U.S. mobile company inserted unique tracking codes in its users traffic for advertising purposes. Supercookies are unique, undeletable identifiers inserted into web traffic to identify customers in order to deliver targeted ads from Verizon and others. The FCC said Verizon Wireless failed to disclose the practice from late 2012 until 2014, violating a 2010 FCC regulation on Internet transparency. The FCC also said the supercookies overrode consumers privacy practices they had set on web browsers, which led some advocates to call it a “zombie cookie.” Under the agreement, consumers must opt in to allow their information to be shared outside Verizon Wireless, and have the right to “opt out” of sharing information with Verizon. Until March 2015, Verizon Wireless consumers could not opt out of the “supercookies,” but after several U.S. senators raised concerns about the practice, the company agreed to allow an opt-out. [Source]

WW – PWC Releases 2015 Enforcement Guide

PricewaterhouseCoopers has released its Privacy and Security Enforcement Tracker 2015. The second-annual guide aims to reflect on the past year’s most significant regulatory movements in the U.K. and across the globe. “If 2014 sounded an alarm to encourage the controllers and users of networks, computer and communications systems and [personnel] to review and improve their practices for privacy and security, then 2015 was the year when the final alarm was sounded,” the guide states. “The message of 2015 is clear: Entities that fail to take voluntary action to remedy bad practices will be forced to change.” [Source]

US – Erin Andrews Awarded $55M for Privacy Invasion

Sports reporter Erin Andrews was awarded $55 million in an invasion of privacy lawsuit. In 2008, a stalker had surreptitiously recorded the well-known reporter while she was getting dressed in her hotel room, thanks to knowledge supplied by the hotel. Though she had asked for $75 million in the lawsuit, the jury was clearly sending a message, recognizing a very real and lasting privacy harm. [Privacy Perspectives]

US – Drone Regulation Faces Committee Approval

The Senate Committee on Commerce, Science, and Transportation looks to approve legislation that would place drone regulation under the Federal Aviation Administration’s control. “Its key provisions would facilitate specific drone tests with set deadlines for progress reports and ensure that the FAA is involved at every step,” the report states. The bipartisan bill pleases drone industry representatives. “These policies will accelerate the safe use of commercial [unmanned aircraft systems] as well as expand collaborative research and operational efforts,” said the Association of Unmanned Vehicle Systems International’s Brian Wynne. “We urge the Senate to pass this bill quickly, as delaying this measure risks stunting a still-nascent industry and restricting many of the beneficial ways that businesses could use UAS technology.” [Morning Consult] See also: the smattering of state drone laws may conflict in with the drone policies of the Federal Aviation Administration

Security

US – Weak Online Banking Password Policies

An investigation revealed that out of these 17 major banks six of them have a significant weakness in their password policy – they ignore case-sensitivity. In total, this security weakness may impact more than 350 million customers nationally. The researchers attempted to contact the banks to inform them about this issue and tried to ask for a statement why they decided to pursue a weak password policy. It turned out that it is almost impossible to contact and notify them about a security issue. When contacted via telephone hotline, most representatives were only trained for everyday business activities. e.g.:

  • 1 org was adamant that they have a case-sensitive password policy, but testing showed otherwise
  • 1 org was not even aware of the existence of a security / IT-department
  • 1 org simply said that this is their policy without any further statement or explanation [Source]

CA – KPMG Report Identified Five Key Cybersecurity Trends

Increased risks of ransomware and extortion-driven attacks as well as the rise of the Internet of Things (IoT) are challenging Canadian organizations in new ways, according to a recent report from audit, tax and advisory services firm KPMG LLP, who have identified five key cybersecurity trends impacting Canadian businesses in its Cyber Watch Report, released last week. These security risks are putting heightened pressure on organizations to protect, detect and respond to new adversaries and threat tactics, while preserving their trust and reputation with customers. [Daily News]

US – University of California Breach Monitoring System Creates Controversy

After a 2015 cyberattack, University of California President and former Secretary of Homeland Security Janet Napolitano secretly ordered a data monitoring security system installed on all state campuses, a move that, when recently exposed, has started a statewide debate. The system “monitors Internet traffic [and] it also stores it for at least 30 days. The idea is to allow security personnel to go back through the traffic to look for breaches.” Both the monitoring system and the secretiveness surrounding it have sparked ire among students and faculty. “The very substance of higher learning really would not be possible unless the faculty and students have some guarantee of confidentiality,” said the American Association of State Colleges and Universities. [NPR]

WW – Windows 10 Will Add APT Protection

At the RSA conference in San Francisco, Microsoft revealed that it would be adding protection against advanced persistent threats (APTs) to Windows 10. The service, Windows Defender Advanced Threat Protection, detects anomalous system activity. It is currently in private beta on about 500,000 systems. [NextGov] [ArsTechnica]

Surveillance

US – FBI Quietly Changes Privacy Rules for Accessing NSA Data

The FBI has quietly revised its privacy rules for searching data involving Americans’ international communications that was collected by the NSA, US officials have confirmed. The classified revisions were accepted by the secret US court that governs surveillance, during its annual recertification of the agencies’ broad surveillance powers. The new rules affect a set of powers colloquially known as Section 702, the portion of the law that authorizes the NSA’s sweeping “Prism” program to collect internet data. Section 702 falls under the Foreign Intelligence Surveillance Act (FISA), and is a provision set to expire later this year. A government civil liberties watchdog, the Privacy and Civil Liberties Oversight Group (PCLOB), alluded to the change in its recent overview of ongoing surveillance practices. The watchdog confirmed in a 2014 report that the FBI is allowed direct access to the NSA’s massive collections of international emails, texts and phone calls – which often include Americans on one end of the conversation. The activists also expressed concern that the FBI’s “minimization” rules, for removing or limiting sensitive data that could identify Americans, did not reflect the bureau’s easy access to the NSA’s collected international communications. FBI officials can search through the data, using Americans’ identifying information, for what PCLOB called “routine” queries unrelated to national security. The oversight group recommended more safeguards around “the FBI’s use and dissemination of Section 702 data in connection with non-foreign intelligence criminal matters”. As of 2014, the FBI was not even required to make note of when it searched the metadata, which includes the “to” or “from” lines of an email. Nor does it record how many of its data searches involve Americans’ identifying details – a practice that apparently continued through 2015, based on documents released last February. The PCLOB called such searches “substantial”, since the FBI keeps NSA-collected data with the information it acquires through more traditional means, such as individualized warrants. But the PCLOB’s new compliance report, released last month, found that the administration has submitted “revised FBI minimization procedures“ that address at least some of the group’s concerns about “many” FBI agents who use NSA-gathered data. “Changes have been implemented based on PCLOB recommendations, but we cannot comment further due to classification,” said Christopher Allen, a spokesman for the FBI. [The Guardian]

US – Court Approves $9 Million Class Action Settlement to Resolve Allegations of Unauthorized Installation of Tracking Software on Mobile Devices

The Court approved a class action settlement resolving allegations that multiple smartphone and tablet makers installed wiretapping software on their devices. Defendants are the following mobile device manufacturers: HTC; Huawei, LG Electronics, Motorola; Pantech, and Samsung. Net proceeds of the settlement will be awarded equally to class members (after payment of service awards, attorneys’ fees, costs and expense, taxes, and the costs of notice and administration of the settlement); a website must be established to provide class members with notice of the material terms of the settlement, procedures to receive benefits or exclude themselves, and how to provide comments about the settlement. [In Re Carrier IQ Inc. Consumer Privacy Litigation – US District Court Northern District of California – Case No. C-12-md-2330-EMC]

Telecom / TV

US – FCC Proposes New Privacy Rules for ISPs

Federal Communications Commission Chairman Tom Wheeler announced the agency’s highly anticipated proposal for new privacy rules for Internet service providers Thursday. Though the agency did not release the actual proposal, Wheeler described the main points of it — which centered around choice, security and transparency — and offered a three-page fact sheet. Not everyone supports this big move by the agency, however. [Source] See also: [How the FCC’s Privacy Proposal Could Affect More Than ISPs] [U.S. FCC Internet privacy proposal could harm broadband providers – Moody’s] [Wheeler: ‘Customers ought to have a say’]

US Government Programs

US – DHS Cyber Threat Sharing Program Review Shows Privacy Risks

A Department of Homeland Security review has revealed that an information-sharing program required under the Cybersecurity Information Sharing Act, passed in December, has privacy protection issues. According to the DHS report, safeguards put in place to prevent personally identifiable information may not be working. There is “residual privacy risk that these processes may not always identify and remove unrelated [personal information], thereby disseminating more [information] than is directly related to the cybersecurity threat,” DHS wrote. Under CISA, any PII shared through the program must be directly related to a cybersecurity threat, the report states. [Source]

US Legislation

US – Colorado May Ease Student Health Privacy Rules in Response to Shootings

A bipartisan Colorado bill aims to grant private therapists and counselors more legal latitude to communicate with school officials when a patient’s behavior could result in “a dangerous environment in a school,” a move that has some mental health workers concerned about its privacy impact. While the bill emphasizes the confidentiality of disclosure practices, some argue it might not be enough. “The main concern is that confidentiality is the backbone of successful therapy and treatment,” argued Mental Health America of Colorado’s Moe Keller, also a former legislator. “You have to be able to trust the person you’re talking to.” The bill passed in the state’s House of Representatives and is posed for a Senate vote. [The Wall Street Journal]

Workplace Privacy

EU – Netherlands: Companies Should Not Track Workers Through Wearables

Dutch Companies may not use wearables to monitor the health of their employees, even if the employees permission controls. This is in breach of the Data Protection Act. That the Authority Personal (AP) determined after investigation of two companies that used wearables to gain insight into the amount of movement of workers. One of the two employers also had insight into the sleep pattern of the employees. The employees of the companies were free to decide whether or not to participate in the experiment. According to the AP, there is an employment relationship, however, no question of free consent, because the employee financially dependent on the company. [Source] [(Original – in Dutch] [Google translation]

US – Approved Bill Deals with Internet Privacy At Work

A bill preventing employers from accessing their employees’ social media accounts passed the legislature on the final day of the 60-day regular session. Del. Stephen Skinner (D-Jefferson) sponsored the Internet Privacy Protection Act (HB 4364) to establish guidelines when it comes to employees’ online privacy. The legislation would prevent employers from obtaining social media passwords from their employees and also help employers, according to Skinner. There are currently no federal laws in place regarding social media privacy at work, Skinner said. [Source]

+++

 

 

01-07 March 2016

Canada

CA – OIPC SK Finds Health Authority Allowed Technologists to Work Under Each Other’s Log-Ins

The Saskatchewan Information and Privacy Commissioner investigated a breach at the Saskatoon Regional Health Authority. It took 3-5 minutes for technologists to log-in and out of the system between patients which was too time-consuming; a number of solutions are being explored including providing each user with their own workstations (this would be very expensive and there is limited physical space), going paperless (there is still heavy reliance on paper requisitions and communications that require scanning), and having an assistant do all the scanning (this could compromise patient safety). [OIPC SK – Investigation Report 176-2015 – Saskatoon Regional Health Authority] See also: [Regina Leader: Saskatchewan Patient Access to Online Health Records Requires Big Focus on Security]

CA – OPC NS Outlines Privacy Rights for Government Info Sharing Initiatives

The Nova Scotia Information and Privacy Commissioner has released guidance on privacy rights in information sharing initiatives. Government entities should be open and transparent about how information sharing initiatives will be implemented, share the least amount of information needed to satisfy the goals of the initiative, and be accountable by implementing initiatives that establish and follow policies and procedures, risk assessment tools, formal agreements and contracts, and privacy breach reporting protocols. [OIPC NS – Protecting and Promoting Canadians Privacy and Access Rights in Information Sharing Initiatives] See also: Privacy Commissioner of Canada Daniel Therrien addressed the Senate and detailed his privacy goals in a keynote posted on the OPC’s site.

Consumer

WW – Billboards Can Track Your Location; Privacy Advocates Hate It

The next time you see a billboard on the side of the road, it may also be scanning you. A geolocation-tracking feature on billboards owned by Clear Channel Outdoor gives the company new ways to target advertising and measure its effectiveness. The service has caught the eye of privacy advocates, who worry that the so-called Radar tracker will be able to collect massive amounts of information from smartphones in cars driving past. Radar will collect mobile data from three Clear Channel partners, including AT&T. Clear Channel Outdoor receives aggregated and anonymous data from its partners, not personal information, said the VP of corporate communications at the company. The company launched the service in 11 markets earlier this week. [Source] See also: [Hey, Siri and Alexa: Let’s talk privacy practices]

Electronic Records

US – Healthcare Organizations Commit to Improve EHR Information Sharing

Several of the nation’s largest players in the private sector have committed to an initiative to improve the ability of providers and patients to share and use information in electronic health records. The effort has gained support from some of the nation’s largest developers of electronic health records systems, representing 90% of the health records used by U.S. hospitals, said the secretary of the Department of Health and Human Services . And the five largest private provider systems in the country are among a group of 16 hospital and health systems that have also indicated support for the initiative. Several large industry professional organizations—including the American Medical Association, the American Health Information Management Association, HIMSS and the College of Healthcare Information Management Executives—were quick to add support for the movement. The vendors and providers have agreed to implement three core commitments: Consumer access: To help consumers easily and securely access their electronic health information, direct it to any desired location, learn how their information can be shared and used, and be assured that this information will be effectively and safely used to benefit their health and that of their community. No information blocking: To help providers share individuals’ health information for care with other providers and their patients whenever permitted by law, and not block electronic health information (defined as knowingly and unreasonably interfering with information sharing). Standards: Implement federally recognized, national interoperability standards, policies, guidance, and practices for electronic health information and adopt best practices including those related to privacy and security. [Information Management]

Encryption

US – Why N.Y. judge’s All Writs Act Decision Is Huge Win for Apple

U.S. Magistrate Judge James Orenstein of Brooklyn does not have the power to bind other courts. The 50-page opinion he issued this week, denying the Justice Department’s application for an order under the All Writs Act to compel Apple to help the government unlock the phone of a convicted drug dealer, will not end the California federal-court showdown between Apple and the Justice Department over an iPhone belonging to San Bernardino shooter Syed Farook. Judge Orenstein’s decision isn’t even the last word in the Brooklyn case – the Justice Department said that it will ask for the order to be overturned by a district court judge. But Orenstein’s opinion is a milestone in the ongoing debate over privacy and national security. He is the first federal judge to analyze the reach of the All Writs Act in the age of the smartphone, yet he roots his discussion not in technological terms but in fundamental U.S. constitutional principles. Orenstein’s conclusions do not rely on the specific facts of the case before him or on the particulars of the operating system at issue. They are based on his reading of constitutional and Congressional history, providing broad context for his assertion of government overreaching. Judges considering contested All Writs Act requests in other courts may differ with Orenstein but they ought not ignore him. [Source] [Apple and FBI testify in hearing on locked iPhone: What we learned] [Apple’s Tim Cook defends privacy at shareholder meeting]

EU Developments

EU – EU-US Officials Release Privacy Shield Details

The European Commission and U.S. Department of Commerce have released details about the highly anticipated EU-U.S. Privacy Shield arrangement this week. The 132-page Privacy Shield Package includes a set of “Privacy Shield Principles,” two annexes, and letters from the International Trade Administration, U.S. Federal Trade Commission, U.S. Department of Transportation, the U.S. Director of National Intelligence, U.S. Department of State, and the U.S. Department of Justice. The proposed data transfer agreement is being met with criticism from privacy advocates, leaving US companies in limbo regarding the handling of EU citizens’ data. Privacy Shield was created as a replacement for the Safe Harbor Agreement, which the European Court of Justice nullified last October. Privacy Shield now faces scrutiny of EU regulators. [Ars Technica] [The Hill] [ComputerWorld] [Fortune] [The Privacy Advisor]

EU – WP29 Issues Statement on Privacy Shield

The group of EU data protection authorities — the Article 29 Working Party — issued a statement this week in response to the newly published details of the proposed EU-U.S. Privacy Shield arrangement. The group says it “welcomes the publication of the draft ‘adequacy decision’ of the European Commission” and the corresponding texts comprising the arrangement. It also said it will “analyze the safeguards” both in terms of the commercial and national security aspects and will finalize a draft opinion at its next plenary meeting on April 12 and 13. Meanwhile, reaction to the 132-page package is underway, including from Schleswig-Holstein DPA Marit Hansen. [Source]

UK – Techs, Privacy Wonks & Politicos Blast Investigatory Powers Bill

A tweaked version of the Investigatory Powers Bill—which seeks to augment surveillance of Brits’ online activity—landed with a thud in parliament this week, as privacy groups, the tech world, and politicians lined up to attack home secretary Theresa May’s proposed law. Time and time again, the word “disappointment” was bandied around by companies, organisations, and individuals that will be directly affected by the planned legislation. Many critics expressed anger about May’s dismissive response to the key recommendations laid out in three separate parliamentary reports about the Snoopers’ Charter, as it is colloquially known. [Ars Technica] [Everything you need to know about the redrafted IP Bill] [According to opinion polls voters don’t mind mass surveillance] [UK: Surveillance law: Revised bill to add privacy safeguards] [The UK government has been hacking for years—and now it’s legal]

EU – Facebook Hit With German Antitrust Investigation Over User Terms

Germany’s Federal Cartel Office will begin an investigation on Facebook’s data collection and advertising agreements. The unclear terms create “an abusive imposition of unfair conditions on users,” the Bundeskartellamt argued in a statement. “There is considerable doubt as to the admissibility of this procedure, in particular under applicable national data protection law,” the statement continued. “If there is a connection between such an infringement and market dominance, this could also constitute an abusive practice under competition law.” Facebook disagrees. “We are confident that we comply with the law and we look forward to working with the Federal Cartel Office to answer their questions.” [Fortune]

EU – German Privacy Watchdog Plans to Fine US Companies

Hamburg (Germany) Data Protection Authority (DPA) plans to fine three US companies for mishandling EU citizens’ data. The companies were following the Safe Harbor agreement that an EU court nullified last fall. Because there is not a firm new agreement in place, companies that are transferring data are breaking the law. Two other companies are reportedly under investigation. [Fortune] See also: Germany’s new data protection enforcement law went live on Feb. 24, and it could pose “an additional risk” for companies. See also: French data protection authority, CNIL, published its Single Authorization Decision No. 46, which aims to simplify the “administration burden” of legal compliance upon data processing.

Facts & Stats

WW – National Security Trumps Digital Privacy: 24 Country Survey

According to a new survey commissioned by the Centre for International Governance Innovation (CIGI) and conducted by global research company Ipsos, most global citizens favour enabling law enforcement to access private online conversations if they have valid national security reasons to do so, or if they are investigating an individual suspected of committing a crime. The survey also found that a majority of respondents do not want companies to develop technologies that would undermine law enforcement’s ability to access much needed data.

  • Seven in ten (70%) global citizens agree that law enforcement agencies should have a right to access the content of their citizens’ online communications for valid national security reasons, including 69% of Americans and 65% of Canadians who agree.
  • When someone is suspected of a crime, 85% of global citizens agree that governments should be able to find out who their suspects communicated with online, including 80% of Americans who agree.
  • More contentious is the idea of whether companies should be allowed to develop technologies that prevent law enforcement from accessing the content of an individual’s online conversations. On this issue, 63% agree that companies should not develop this technology, including 60% of Americans, and 57% of Canadians whom are most likely to agree with this statement.

Read the news release here. [Centre for International Governance Innovation (CIGI)]

Finance

CA – CRA Automates Most of Your Return, Helping Tax Software

Electronic tax filing is getting easier this year with Auto-fill, a CRA service that enters information for taxpayers using most kinds of certified tax software. The CRA has always had copies of most of the forms about each taxpayer, receiving them from banks and employers before you do. Last year it began a pilot program with the service it calls Auto-fill that allowed chartered accountants and other certified tax professionals to have this data entered onto a personal tax form automatically. This year that program rolls out to everyone. As long as you are filing on a software program that offers the option and have a “MyAccount” file with the CRA, the Auto-fill function will work. Groups such as Open Media and the Canadian Civil Liberties Association say Auto-fill is too new to assess the privacy implications. The CRA insists the Auto-fill function is secure, as information is only available if a taxpayer logs into MyAccount, which requires a robust password. Ann Cavoukian, a former privacy commissioner, said it is right to worry about privacy and security whenever a new feature like this is rolled out. [Source]

WW – Google’s New Payments App Means Never Having to Pull Out Your Wallet

Pay with your voice. Google has released to the public a new app called Hands Free, which lets people pay for items in stores by simply telling the cashier, “I’ll pay with Google.” The app, available for Android and Apple phones, is only being piloted in a few locations in the San Francisco area, including some McDonald’s and Papa John’s restaurants.Hands Free, which is separate from Google’s Android Pay mobile payments app, works by tracking your location using Wi-Fi and other sensors in your smartphone to detect whether you’re near a participating store. After you say “I’ll pay with Google,” the cashier confirms your identity by using your initials and the photo you’ve loaded onto the Hands Free app. At some stores, Google is also experimenting with an in-store camera to verify your identity automatically based on your Hands Free profile picture. Google said images and data from these cameras are deleted immediately and can’t be accessed by the stores. [Source]

FOI

CA – OIPC BC Upholds City’s Decision to Withhold Records

The Office of the BC Information and Privacy Commissioner reviewed a decision by the City of Nanaimo to deny access to records requested pursuant to the Freedom of Information and Protection of Privacy Act. The City was ordered to continue to withhold records which could reveal a motion made at an in camera Committee, emails exchanged between the City and regional district containing explicit markers of confidentiality, and assessment and evaluation records of how a City employee performed his job duties. [OIPC BC – Order F16-03 – City of Nanaimo]

Genetics

US – Obama Says People Who Give Genetic Samples for Research Should Own the Data

During last week’s summit on the Precision Medicine Initiative at the White House, President Barack Obama acknowledged the thorny issues surrounding genetic data ownership, a move some view as unprecedented. “It requires, first of all, us understanding who owns the data,” Obama said. “And I would like to think that if somebody does a test on me or my genes, that that’s mine. But that’s not always how we define these issues, right? So there’s some legal issues involved,” he added. “I had not heard this before from the president or anyone high-up at the White House, said Genetic Alliance’s Sharon Terry. [Slate] See also: [Manitoba DNA sweeps pose wrenching ethical questions: Carol Goar]

Health / Medical

US – Health IT Firms Ally with White House on Initiatives

The Obama administration announced that it has received commitments from various health IT developers to assist the president’s health care modernization initiatives. Among the proposed plans are allowing patients to access their records and test results with greater ease; streamlining data sharing between entities, while ensuring adherence to privacy legislation: and making the “data language” between groups universal, the report states. “We are working to unlock healthcare data and information so that providers are better informed and patients and families can access their healthcare information, making them empowered, active participants in their own care,” said Health and Human Services Secretary Sylvia Burwell. [The Hill]

EU – German Hospitals Hit with Ransomware

Computer systems at two hospitals in Germany were infected with ransomware. The cleanup process is expected to take several weeks. At Lukas Hospital in Neuss, the attack affected an x-ray system, an email server, and other network components. At Klinikum Arnsberg in North Rhine-Westphalia, the attack was detected after it infected one server. There are reports that a third hospital was targeted as well. [ZDNet] [The Register] [SCMagazine] [DW.com] See also: [The “HawkEye” attack: how cybercrooks target small businesses for big money]

UK – NHS Suffers 105 Security Breaches Over Personal Data in Year

Security breaches over personal data held by the NHS nearly doubled to more than 100 during the last financial year. Figures obtained under the Freedom of Information Act show that there were 105 such breaches in hospitals and other bodies in the National Health Service in the financial year 2014-15. This was an increase of 81% on the previous year, with 58 security breaches over personal data. The UK Information Commissioner’s Office said that action was taken to prevent repetitions, including six “enforcement notices” against NHS bodies in 2014-15. [ExaroNews]

Horror Stories

US – IRS Breach Now Estimated to Affect 724,000 People

The number of people affected by the US Internal Revenue Service (IRS) data breach keeps growing. The agency now estimates that the personal information of as many as 724,000 people has been stolen since January 2014. When the breach was first disclosed, the IRS estimated that it affected roughly 100,000 people; that figure was revised to 334,000 on August 2015. [NextGov] [NBCNews] [The Hill] [ComputerWorld] [The Register] [Krebs on Security]

WW – Companies Underestimating Breaches’ ‘Human Element’: Study

The breach catalyzed by a Snapchat employee who fell for a phishing scam is symptomatic of many companies’ data security problems. “Even if your technical security is up to snuff, your people may let you down.” A 2015 CompTIA survey found that more than half of security breaches that year were caused by human error, with 30% of respondents considering the “human element” to be a significant cybersecurity concern. The survey “suggests that companies may not be doing enough to prepare their workers for a world where a new scam might be in their inbox everyday.” [Washington Post] See also: [Hackers Can Steal Passwords, But Not User Behavior: In almost every publicized breach, security analysts ignored the crucial alerts due to the copious amounts of false alarms triggered on a daily basis]

Identity Issues

CA – Manitoba’s Multi-use PID Cards: Convenience Trumps Privacy

On January 11, 2016, Manitoba announced its approval of an all-in-one personal identification card (PIC). The PIC will offer Manitobans a combined driver’s licence, photo ID, Personal Health Identification Number (PHIN) and travel document as early as fall 2017. While the consolidation of identification into one location is a blessing for consumers, it raises privacy concerns and creates some challenges for business. BC introduced a similar combined card in February 2013. But unlike BC, where the province was criticized for not consulting the public, Manitoba Health Minister Sharon Blady emphasized that the move towards PICs came after a five-week public consultation process where overwhelmingly positive responses were reported. 80% of Manitobans surveyed said they agreed with the idea of creating an all-in-one PIC. However, a closer look at Manitoba’s full consultation report reveals interesting data on why PICs were supported. For example, when asked what the most important benefits of the proposed PICs were, 73% of respondents indicated convenience while only 18% cited enhanced protection. Similarly, in an online survey of 1,515 Manitobans, 71% rated convenience as the top benefit while only 16% indicated protection of identity theft/fraud. Public sentiment towards the convenience of PICs illustrates how privacy concerns, which trumped proposals for a national identity card in 2002, could be overlooked in today’s digital age. As a recent survey by the Pew Research Centre demonstrates, people are consistently willing to share personal information in exchange for something of perceived value. For example, 52% of respondents in the Pew survey said they would allow their doctor’s office to upload their personal health information onto a website described as “secure” if it made scheduling appointments easier and facilitated easy access to medical records. [CyberLex Blog (McCarthy Tétrault)]

CA – Inadvertent Sharing of Canadians’ Metadata by Intelligence Agency Shows Weaknesses of De-Identification

Two lawyers examine the sharing of intelligence data between the Five Eyes allies. The agency’s de-identification techniques failed when mixed with its allies’ re-identification capabilities; the risk of re-identification increases significantly where a data set includes data such as location-based data, IP addresses or cookies, or where the attack vector includes significant amounts of secondary data that can be linked to the de-identified dataset. [Why We Need to Reevaluate How We Share Intelligence Data With Allies – Tamir Israel and Christopher Parsons, Just Security]

Internet / WWW

WW – New Project Monitors Social Media for Signs of Mental Illness

Canadian and French researchers are working on algorithm to screen online posts for warning signs. $464,100 has been granted to the University of Ottawa for a three-year-long project called “social web mining and sentiment analysis for mental illness detection.”   “Social media is everywhere,” reads a news release issued by the university. “Internet users are posting, blogging and tweeting about almost everything, including their moods, activities and social interactions.”    The release goes on to explain how scientists from the universities of Ottawa, Alberta and Montpellier in France, will explore the use of social media data in screening for individuals at risk of mental health issues. [CBC]

Law Enforcement

CA – Saskatchewan Police Don’t Have or Want Stingray Tech

Municipal police agencies in Saskatchewan say they’re currently not using — and have no plans to use — “stingray” technology employed by other law enforcement agencies for tracking cellular devices. The technology has come under criticism south of the border from the ACLU; about 60 police agencies across 23 states and the DC in the U.S. have been reported to use the devices. According to a 2015 report from the ACLU, “stingrays,” also known as cell site simulators, are considered “invasive cellphone surveillance devices that mimic cellphone towers and send out signals to trick cellphones in the area into transmitting their locations and identifying information.” Brenda McPhail, director of the Canadian Civil Liberties Association’s privacy, technology and surveillance project, said stingray technology is on the rights advocacy group’s radar. She said requests for information on the devices within the Vancouver Police Department by Vancouver-based advocacy organization Pivot Legal Society, and of the RCMP and the Ontario Provincial Police by the Toronto Star in 2015, have gone largely unanswered. However, McPhail said chances are slim the device is nowhere to be found in Canada. [Saskatoon StarPhoenix] See also: [StingRays breach cell phone privacy]

US – Maryland Bill Permits Govt Use of Automatic License Plate Reader Systems

The State of Maryland has introduced a Bill related to the use of Automated License Plate Readers by law enforcement. Law enforcement agencies are not permitted to use captured data from an automated license plate reader unless the agency has a legitimate law enforcement purposes; the Department of State Police must adopt procedures including an audit process to ensure that information obtained through the use of an automatic license plate reader system is used only for legitimate law enforcement purposes, and safeguards to ensure that staff with access to the automatic license plate reader database are adequately screened and trained. [Maryland Public Safety Code 3-509 – License Plate Readers]

CA – MPPAC: RCMP Commissioner Should Resign Over Breach

The Mounted Police Professional Association of Canada (MPPAC) is calling for the resignation of the RCMP Commissioner Bob Paulson, following an investigation from the Office of the Privacy Commissioner of Canada which found that the release of RCMP members medical information was a “well-founded serious privacy breach.” Commissioner Paulson admitted that he authorized the investigation. Just this week Commissioner Paulson admitted to authorizing the release of sensitive health information of RCMP officers to the College of Psychologists without their permission. Canada’s Privacy Commissioner concluded that by sharing private medical information without the consent of the officers, the RCMP breached the Privacy Act. If the Commissioner does not resign, MPPAC is calling on the Government of Canada to take appropriate action. [Canada NewsWire]

Online Privacy

WW – Protect Your Privacy Online—and See Better Prices Doing It

The prices you see while shopping on the Web are aren’t always the same as the deals displayed to your spouse, neighbors or co-workers. But now, at least one technology company is helping customers see the unadulterated costs of their online purchases. eBlocker is a device that attaches to customers’ Wi-Fi routers to mask their identity from online tracking software. eBlocker protects every device in your home by combining the power of an advertising blocker, an IP address rerouter and by protecting you from being identified by third-party trackers. In other words, when you get online, you get a clean slate as if you’ve never used that device before. You can still use first-party cookies, like those that remember your passwords, but once you leave that website, you’re anonymous again. It’s like a combination of encryption, Adblock Plus and Tor, a so-called onion router often associated with the “dark Web.” But eBlocker avoids the hassle of installing all these on each device. It’s all part of an elaborate industry aimed at stopping a largely opaque phenomenon of online tracking: dynamic pricing. [CNBC]

Other Jurisdictions

AU – NSW May Introduce Tort/Law of Invasions of Privacy

Secret mobile phone recordings and revenge porn-style social media posts could be subject to tough new laws in NSW allowing people to sue for damages for invasion of privacy. The State Parliament’s law and justice committee recommended that NSW should “lead the way” in Australia in creating a new legal action for serious invasions of privacy. The laws could be replicated across the country. Under the plan, a person could sue for damages if their privacy had been invaded intentionally or recklessly. Governments and corporations would be held to a higher standard, and could also be pursued for damages over “big data”-style privacy breaches committed negligently. But experts have raised questions about whether the laws go too far, and might catch a wide range of “common human errors” such as government or corporate employees sending an email containing private information to the wrong recipient. The recommendations, endorsed unanimously by committee members drawn from the ranks of the Coalition, Labor and the Greens, follow renewed debate about the adequacy of existing laws protecting against invasions of privacy. [Sydney Morning Herald]

Privacy (US)

US – Apple Wins Ruling in New York iPhone Hacking Order

U.S. Magistrate Judge James Orenstein denied a government request that Apple help it gather data from an iPhone in a drug case, a ruling that bolsters Apple’s pro-privacy posture and potentially paves the way for similar judgments in other pending cases, including the iPhone of one of the San Bernardino shooters. Orenstein ruled the government was expanding its authority too broadly by using the All Writs Act to compel Apple to extract the locked phone’s data. Apple’s top lawyer, Bruce Sewell will testify in front of Congress today, along with FBI Director James Comey, on encryption and government access for law enforcement purposes. Meanwhile, Sen. Mark Warner, D-Va., and Rep. Michael McCaul, R-Texas, have officially introduced legislation that would create a National Commission on Security and Technology Challenges to help find solutions to the encryption and data security issue. [New York Times] See also: [Privacy groups wary of compromise encryption bill]

US – NY Court Rejects FBI Argument for Breaking iPhone Lockscreen in 2nd Case

Apple just won a victory in an iPhone warrant case although it may not help the company in its San Bernardino trial. The victory comes from a New York district court that’s been facing something legally similar to the higher-profile warrant case playing out in San Bernardino. In a 50-page ruling, Magistrate Judge Orenstein found that the All Writs Act did not justify the government’s request, and denied the government’s request to legally compel Apple’s help. [The Verge] See also: [Huge data cache retrieved from electronic devices belonging to men accused of Tim Bosma murder: OPP]

US – Legislators Speak Out in Support of Apple

Representative Darrell Issa (R-California) has published a column on Wired.com in which he writes, “The FBI cannot mandate that Apple create a backdoor to override the iPhone’s encryption features without creating a dangerous precedent that could cast a long shadow over the future of how we use our phones, laptops, and the internet for years to come.” [Wired] In a letter to FBI Director James Comey, US Congressman Ted Lieu (D-California) writes, “As a computer science major, I have seen far-reaching unintended consequences when government applies outmoded concepts to out fast changing technological world.” [FCW] As the debate surrounding the FBI’s case against Apple continues, two U.S. lawmakers have proposed a new multi-stakeholder commission to investigate data security issues.

US – Digital Equilibrium Project on Privacy and Security in the Connected World

The Digital Equilibrium Project, a collection of privacy and infosecurity veterans from government and industry have launched a white paper to define the issue and announce plans for a summit this summer to tackle what they describe as the “growing tension between privacy and security.” This paper is meant to foster a new, collaborative discussion on the most pressing questions that could determine the future safety and social value of the internet and the digital technologies that depend on it. It urges governments, corporations and privacy advocates to put aside the polarizing arguments that have cast security and privacy as opposing forces, posing 4 fundamental questions that must be addressed to ensure the digital world can evolve in ways that ensure individual privacy while enabling the productivity and commercial gains that can improve quality of life around the globe. Ann Cavoukian is among the authors. [Read Now]

US – California DMV Sued for Alleged Illegal Data Retention

Six plaintiffs maintain that California’s Department of Motor Vehicles breached the Information Practices Act and due process by unlawfully collecting and sharing private criminal records. The court papers, filed last week, argue that the agency has a trove of “upwards of one million” Californians’ data, a move that “violates privacy protections for certain records by retaining them after the statutory period has expired,” the report states. “California employers are aware that the DMV’s loose record retention and reporting practices allow them access to criminal history records they would otherwise be unable to obtain,” the suit states. “They take full advantage of this criminal record reporting loophole.” [Courthouse News]

Privacy Enhancing Technologies (PETs)

US – DHS Awards Yale University $1.7M for Data Privacy Research

Yale University’s “PriFi Networking” project now has $1.7 million from the Department of Homeland Security, a grant from the agency that aims to assist the university’s anti-tracking and surveillance technology development. The gift was thanks to the DHS Science and Technology Cyber Security Division’s Data Privacy program that invests in the creation of cost-effective and approachable pro-privacy tools. “Keeping the homeland secure depends on both guarding and granting access to secure systems, facilities, and other resources,” said DHS Undersecretary for Science and Technology Dr. Reginald Brothers. “Protecting Personally Identifiable Information is vital to the DHS mission and S&T has a long-standing interest in privacy-enhancing technologies.” [Newswise]

Security

US – IBM to Acquire Resilient Systems, Bringing Bruce Schneier on Board

Cybersecurity firm Resilient Systems and its Chief Technology Officer Bruce Schneier will become a part of the IBM family. “The acquisition will give IBM Security the industry’s first integrated end-to-end platform combining analytics, forensics, vulnerability management and incident response,” the report states. “The deal should be good for both companies, and will certainly benefit their respective customers.” [PCWorld]

US – CFPB Dives Into Data Security Enforcement

On March 2, 2016, the Consumer Financial Protection Bureau (CFPB) announced its first data security enforcement action in the form of a Consent Order with online payment platform Dwolla, Inc.  The five-year Consent Order is based on CFPB allegations that Dwolla engaged in deceptive acts and practices by misrepresenting to consumers that it had “reasonable and appropriate data security practices.”  Dwolla neither admitted nor denied that it engaged in data security misrepresentations.  The CFPB fined Dwolla $100,000, enjoined it from making further misrepresentations, and is requiring that it develop a written, comprehensive data security program, designate a person responsible for the program, provide employee training, conduct risk assessments, and undergo independent third party audits annually, among other things.  The CFPB also places primary responsibility for compliance with the Consent Order on Dwolla’s board of directors. [HLDA]

WW – Securing Data for Remote Access Users

Business requirements, distributed operations, and cloud deployments are forcing organizations to rethink remote access requirements, including how to secure the data and applications they access. According to a study conducted by software company Intuit, by 2020 more than 40% of the U.S. workforce will be contractors and contingent workers; that’s more than 60 million people. Why so? Because of the almost ubiquitous needs for organizations to share data in such a way that it speeds the flow of business transactions. The result is that most users are outside the enterprises, accessing data and applications as credentialed guests. And hence, the ‘outside-in’ network is the new normal. [Source]

Surveillance

US – California Courts Demand Total Access to Email and Social Media Accounts

The California Electronic Communications Privacy Act. Which took effect on Jan 1, 2016, has privacy advocates concerned that its “Fourth waiver” element railroads the privacy of individuals under probation or parole. This component of the act permits law enforcement to check the laptops or other devices of individuals on parole without a warrant. “Folks on parole, probation, even supervised release, they have a reduced expectation of privacy while they’re under supervision,” said the ACLU of California. “But that’s not the same as no right to privacy online or offline.” [The Intercept]

Telecom / TV

US – Cable/Telecom Operators Offer Up Privacy Framework to FCC

The National Cable & Telecommunications Association and American Cable Association have joined with other trade and tech groups to offer up what is being billed as a consensus privacy framework outlining guiding privacy principles. In essence, the framework is an articulation of NCTA’s argument that rather than come up with new rules and regs, the FCC should, as the new proposal says, “[pursue] reasonable enforcement actions against telecommunications service providers that have clearly violated these principles.” That is the FTC model. The FTC has enforcement authority but very limited authority to promulgate new regulations. The proposal, which was offered up in a letter to FCC chairman Tom Wheeler comes as the FCC prepares a proposal on how to oversee broadband sub privacy–a new authority under its Title II reclassification–as it currently does traditional video CPNI (customer network proprietary information). A vote on that proposal could come as early as this month’s public meeting. NCTA and ACA, joined by USTelecom, CTIA and the Competitive Carriers Association, said the FCC should focus on four things: “(1) transparency; (2) respect for context and consumer choice; (3) data security; and (4) data breach notification.” [Source] See also: [The 5 Things Every Privacy Lawyer Needs to Know about the FTC]

US – Publishing Group Calls on FCC to Regulate Broadband Data Use

As the Federal Communications Commission begins to draft privacy regulations for broadband providers, online publishing group Digital Content Next advised the FCC to ensure broadband companies both inform and empower their customers about the companies’ use of personal data. “In light of their access to sensitive information about consumers, we urge the FCC to require broadband providers to provide consumers with transparency and meaningful choice with regard to the collection and use of personal information,” DCN wrote in its letter to the FCC. “Consumers should have the ability to exercise choice via a mechanism that is easy to use, persistent and universal.” [MediaPost]

US – Swire Study: Encryption, Mobile Devices Curb ISP Knowledge

In a new report, Alston & Bird’s Peter Swire says that the employment of encryption and mobile devices has shrunk Internet service providers’ knowledge regarding their customers’ online habits. His study aims to counter advocacy groups’ “widely-held but mistaken view about Internet service providers and privacy,” he said, one that sees ISPs as entities collecting treasure troves of user data without consent. While staying away from definitive policy suggestions, Swire says overall, “public policy should be consistent and based on an up-to-date and accurate understanding of the facts of this ecosystem.” [MediaPost]

US Government Programs

US – TSA Defends Full-Body Scanners at Airport Checkpoints

Three years, more than 1,000 comments and multiple challenges by advocacy groups later, the TSA issued a rule finalizing its policy for using full-body scanners at airports. While TSA insists the machines are the best way to protect the nation’s travelers from terror attacks, critics challenge the use of devices over privacy and health concerns. The legal battle went all the way to an appeals court, which said TSA could keep the machines if it took legal steps to justify their use. In a 157-page report that summarizes arguments for and against the machines, and their hefty price tag — $2.1 billion from 2008 through 2017 — the agency said the devices provide “the most effective and least intrusive” way to search travelers for weapons hidden under their clothes. And with that, the agency finalized its regulation governing the machines. The rule won’t change anything for travelers. Even as the question wound its way through courts, TSA deployed the machines and now uses 793 full-body scanners at 157 airports. [Source]

US Legislation

US – Legislative Roundup

+++

 

 

Privacy News Highlights: 22-29 February 2016

Biometrics

CA – Mastercard to Bring ‘Selfie Pay’ to Canada This Summer

MasterCard will officially be rolling out its biometric payment service, MasterCard Identity Check – a smartphone app which allows users to verify purchases by taking a selfie instead of entering a password – to 14 countries, including Canada, this summer, the company announced this week according. The service, which MasterCard has tested in app form with nearly 1,000 consumers in the U.S. and Netherlands, requires users to provide a photo of their face when signing up, after which the service measures prominent facial “landmarks” and converts them into an algorithm that can be compared to future pictures. To avoid fooling the app with an existing picture, users must blink while snapping the photo to prove their humanity. Biometrics carry their own set of risks: many of us have posted our faces on multiple websites or had them picked up by surveillance cameras – and it’s difficult, for the average person to change their face. Other smartphone companies such as Apple and Samsung have incorporated biometrics technology including facial recognition and fingerprint scanning software into their devices, and hackers have proven themselves capable of bypassing them. Details regarding the Canadian version of Identity Check, which has already been colloquially dubbed “selfie pay,” are not yet available. [ITBusiness] [video explaining the technology]

Canada

CA – CSE Unlawful Sharing of Metadata Went on for Years

It’s impossible to know how many Canadians had their personal data shared by the country’s electronic spy agency in a metadata glitch, according to its watchdog. Jean-Pierre Plouffe, commissioner of the Communications Security Establishment (CSE), told a Senate committee Monday that data were erased from the agency’s system, making it difficult to find out the number of people impacted. A month ago, Plouffe tabled his annual report in the House of Commons, revealing for the first time that CSE illegally and unintentionally shared metadata with Canada’s Five Eyes intelligence allies: the United States, United Kingdom, Australia and New Zealand. That data may include Canadians’ personal information, including phone numbers or email addresses, but not the content of emails or recordings of phone calls.

“It’s not accidental,” Plouffe said in an interview about the CSE breaking the law. “It’s because of a lack of due diligence.” Metadata is information associated with communication that is used to identify, describe or route information. CSE is supposed to monitor only foreign communications for intelligence that may be of interest to Canada. [CBC] [Canadian electronic spy agency’s unlawful metadata sharing went on for years before being fixed] [Outrage over CSE metadata collection and blunders ‘Difficult to determine’ scope of privacy breach in Five Eyes data sharing ]

CA – CSIS Using New Powers to Disrupt Terrorists Since Bill C-51 Became Law

Powers to disrupt include blocking financial transactions, shutting down websites. The disruption powers allow CSIS to interfere with, telephone calls, travel plans and bank or financial transactions. The agency can also disrupt radical websites and Twitter accounts of groups or people inside and outside of Canada. This provision in the act has garnered criticism from the outset, because there is no clear definition of what “disrupt” means in the legislation, causing some to be concerned the power would be abused by police and intelligence services. [Source] [Canada: CSE can assist in ‘threat reduction’ without a warrant, documents show]

CA – PEI’s OIPC Finds Privacy Breaches by 5 Gov’t Agencies

P.E.I.’s Information and Privacy commissioner has ruled five different provincial government departments and agencies violated the privacy of someone who filed multiple applications under the Freedom of Information and Protection of Privacy Act by circulating his name, mailing address, telephone number, email address and signature with copies of his requests for information. After submitting applications for information from the various government agencies, the applicant filed a complaint with the commissioner, saying his personal information and details about his access requests were shared among them, and as a result, his requests were subjected to an “unequal, prejudicial and arbitrary process.” The privacy commissioner determined a meeting had taken place, but said there was insufficient evidence that “any public body improperly collected the complainant’s personal information” during the meeting. However, the commissioner concluded all five public bodies did violate the privacy of the applicant by circulating his name, mailing address, telephone number, email address and signature with copies of his requests for information. The commissioner said she believed the violation was inadvertent. The commissioner noted all public bodies have since been told to sever personal information from information request forms. The applicant also charged one of the agencies involved, the P.E.I. Liquor Control Commission, violated his privacy by compiling personal information from internet searches, including his photo, employment history and educational background. The commissioner agreed the information was collected, but determined that did not constitute a breach because it was publicly available, and it was gathered in order to respond to the applicant’s privacy complaint. [Source]

Other Ontario News

Consumer

US – Cognitive Dissonance in How Americans Value Privacy: Survey

How much do Americans really value their online privacy? According to study findings, a considerable majority of 63% of respondents experienced some sort of online security issues. But despite the frequency of these issues, just over half of them (56%) actually made permanent behavior changes to guard against their reoccurrence. 24% of respondents admitted to using unsecured public Wi-Fi, meaning that their data is effectively ripe for the picking, “quite often or all the time.” And despite the fact that 67% said they wanted extra layers of privacy, a very small percentage actually utilize available tools to this end. In fact, only 16% use privacy-enhancing browser plug-ins, just 13% use two-factor authentication, only 11% use a VPN, and just 4 percent use anonymity software. [Source]

E-Mail

CA – Legal Trends 2016: Anti-Spam

In each of the three instances in which the CRTC entered into an undertaking in 2015, the undertaking included a monetary payment (ranging from C$48,000 to C$200,000) and an agreement by the company to update and implement a compliance program that would (1) cover elements such as corporate compliance policies and procedures, training and education, monitoring, auditing, and reporting mechanisms, and (2) apply consistent disciplinary procedures. In one enforcement action, the CRTC took issue with the fact that a company was allegedly sending CEMs to email addresses without proof of consent for each recipient. [Mondaq]

Encryption

US – Apple Faces U.S. Demand to Unlock 9 More iPhones

The Justice Department is demanding Apple’s help in unlocking at least nine iPhones nationwide in addition to the phone used by one of the San Bernardino, Calif., attackers. The disclosure appears to buttress the company’s concerns that the dispute could pose a threat to encryption safeguards that goes well beyond the single California case. Apple is fighting the government’s demands in at least seven of the other nine cases. “Apple has not agreed to perform any services on the devices.”. Starting in December, Apple has in a number of cases objected to the Justice Department’s efforts to force its cooperation through a 1789 statute known as the All Writs Act, which says courts can require actions to comply with their orders. [The New York Times] [Apple, the FBI, and the All Writs Act] [The Lowdown on the Apple-FBI Showdown] [Apple calls for commission to discuss FBI’s iPhone unlocking demands]

Facts & Stats

WW – Gov’t Accounted for 43% of 2015 Breaches Worldwide

Digital security firm Gemalto this week released its latest Breach Level Index database report which revealed that 707 million records worldwide were compromised in 1,673 data breaches across the globe during 2015. That breaks down to a staggering 1,938,383 records lost every day, or 22 per second. Unsurprisingly, 1,222 of last year’s incidents occurred in the U.S., and Gemalto estimated 419.7 million records were compromised. Government agencies were hit the hardest in 2015 and comprised 43 percent of all recorded breaches, skyrocketing up a full 476% from the previous year. Unsurprisingly, incidents in the healthcare sector resulted in 134 million compromised records, a 217% jump from 2014. Quieting fears that attackers are mainly after financial information, the report shows that only 22% of incidents were designed to steal financial data. On the other hand, a full 53% were aimed at identity theft. “If security executives needed further evidence that identity theft is a still a serious problem,” said researchers. “This is it.” The report contained a wealth of information and tips aimed at security professionals, but records protection is obviously a concern for records managers as well, so it’s worth a quick read. [Source] [Gemalto’s Breach Live Index Report]

FOI

CA – PEI Province Must Turn Over Documents on E-Gaming Loan

The P.E.I. government has been ordered to release a document that outlines details of a $950,000 government loan that funded the province’s controversial e-gaming scheme. P.E.I. Privacy Commissioner Karen Rose delivered this ruling as a result of a FOI request by TC Media requesting details of this e-gaming loan. The province refused to disclose a one-page document that provides a breakdown of where and how the money from the e-gaming loan was to be spent. In her decision, Rose states the financial e-gaming document is not information that belongs to the Mi’kmaq Confederacy and is thus a public document. She also determined the information within this record was not supplied in confidence nor was there sufficient evidence provided that disclosing the information would significantly harm the confederacy’s competitive or negotiating position. However, she rejected TC Media’s assertion the information falls within the public interest, citing an interpretation that this argument can only be used if it is matter of “compelling public interest,” applying mainly to matters of health or safety and not to political issues. [Source]

CA – OIPC NS Find Jobs Forecast and Actual Jobs Report Can be Released

The Office of the Information and Privacy Commissioner in Nova Scotia reviewed a decision by the Nova Scotia Business, Inc. to refuse to disclose records pursuant to the Freedom of Information and Protection of Privacy Act. The public body successfully claimed that jobs information supplied by third parties applying for financing and rebates was provided in confidence (the proprietary information was submitted on the basis of it being held in the strictest of confidence), but did not establish that there was a reasonable expectation of harm if released (no evidence was provided that it would significantly harm the third party’s planned growth or rebate performance targets). [OIPC NS – Review Report 16-01 – Nova Scotia Business Inc.]

Genetics

CA – OPC Voices Support for Genetic Discrimination Bill, But Wants Changes

Daniel Therrien testified at the Senate human rights committee on Bill S-201, which aims to prevent discrimination against a person based on their genetic testing. He offered broad support to Senator James Cowan’s bill that would prevent unsanctioned access to a person’s genetic test results, but worried that changes it would make to federal privacy laws could cause unintended consequences in future court cases.

“It’s crucial individuals remain in control to their data,” he told the committee. Therrien spoke in favour a clause which would prohibit the collection or use of “the results of a genetic test of the individual without the individual’s written consent.” He said it creates a “good and balanced way to represent the wishes of those who wish to share their genetic test results and those who do not.” But Therrien recommended removing clauses that would add a definition for “personal information” into the Privacy Act by adding the wording “information derived from genetic testing of the individual.” [iPolitics]

Health / Medical

US – OCR Releases mHealth Guidance for App Developers

Following the launch of its mHealth Developer Portal last October, the HHS Office for Civil Rights (OCR) has released guidance clarifying how HIPAA applies to mobile health apps. Ensuring that developers understand their legal obligations is critical to protecting consumer privacy and security, especially now that there are more than 165,000 health apps available in the iTunes and Android app stores. A more clear understanding of how the rules apply can also help bring down barriers to innovation. The guidance, titled “Health App Use Scenarios& HIPAA,” builds on the mHealth Developer Portal, which serves as a platform for users to share difficult use cases and best practices. On the portal, developers can also submit questions to OCR that will inform future guidance releases. OCR announced the guidance with a statement that the agency hopes it will help developers determine “how federal regulations might apply to the products they are building” and reduce uncertainty. The guidance offers developers background information on HIPAA and then details various scenarios, identifying when an app developer is—and is not—acting as a business associate. [Source]

CA – Edmonton Health Worker Fined For Illegally Accessing Patient Information

An Edmonton health worker who admitted to illegally accessing the medical records of seven people has been fined $1,000. Denise Tourneur pleaded guilty Feb. 5 to the violations under the province’s Health Information Act. The Court heard the breaches occurred on 44 separate occasions between September 2011 and September 2013. The guilty plea is the fourth conviction under the Health Information Act since the legislation came into force in 2006. However, the amount of the fine is considerably lower than past penalties. [The Winnipeg Sun]

CA – OIPC AB Orders Public Body to Implement Safeguards to Protect Personal Health Information from Unauthorized Access and Disclosure

The OIPC AB reviewed the results of an investigation conducted by the Alberta Health Services (“public body”) into a potential breach of personal health information by a nurse (“Affiliate”). The policy that a public body had in place regarding the monitoring and auditing of IT resources establish the public body’s intent to protect unauthorized use or access; this policy remained in place when a nurse inappropriately accessed, used, and siclosed the personal health information of a patient; the public body must implement mechanisms to ensure that individual’s are in compliance with policies at all times and that patient health information is safeguarded. [OIPC AB – Order H2016-02 – Alberta Health Services]

Identity Issues

US – Secret Police? Virginia Considers Bill to Withhold All Officers’ Names.

It started with a reporter’s attempt to learn whether problem police officers were moving from department to department. It resulted in legislation that is again bringing national scrutiny to the Virginia General Assembly: a bill that could keep all Virginia police officers’ names secret. The Virginia Senate has already approved Senate Bill 552, which would classify the names of all police officers and fire marshals as “personnel records,” exempting them from mandatory disclosure under the state’s freedom of information law. In a climate where the actions of police nationwide are being watched as never before, supporters say the bill is needed to keep officers safe from people who may harass or harm them. But the effort has drawn the attention of civil rights groups and others who say police should be moving toward more transparency — not less — to ensure that troubled officers are found and removed. If it is made law, experts say the restriction would be unprecedented nationwide. [The Washington Post]

Law Enforcement

US – Fed Judge Limits 1st Amendment Right When Videorecording Cops

Court: No First Amendment right to videorecord police unless you are challenging the police at the time. In recent years, lower federal courts have generally held that the First Amendment protects a right to videorecord (and photograph) in public places, especially when one is recording public servants such as the police. Because recording events that you observe in public places is important to be able to speak effectively about what you observe, courts held, the First Amendment protects such recording. Some restrictions on such recording may be constitutional, but simply prohibiting the recording because the person is recording the police can’t be constitutional. This is the view of all the precedential federal appellate decisions that have considered the issue. [Watch: What you need to know about filming the police]. But Friday’s federal trial court decision in Fields v. City of Philadelphia takes a different, narrower approach: There is no constitutional right to videorecord police, the court says, when the act of recording is unaccompanied by “challenge or criticism” of the police conduct. Therefore, the court held, simply “photograph[ing] approximately twenty police officers standing outside a home hosting a party” and “carr[ying] a camera” to a public protest to videotape “interaction between police and civilians during civil disobedience or protests” wasn’t protected by the First Amendment. [Source]

Privacy (US)

US – Former Employee Deletes Data, Gets Prison Sentence

A US district judge in North Carolina has sentenced Nikhil Nilesh Shah to 30 months in prison for sabotaging his former employer’s servers. Shah was an IT manager at SmartOnline. He left that company in March 2012, and in June of that same year, he sent malicious code to his previous employer’s servers, deleting much of the company’s intellectual property. [The Register] [SCMagazine] [Justice.gov]

US – Asus Settles FTC Charges Over Unsecure Home Routers

Asus has agreed to the terms of a settlement with the US FTC regarding vulnerabilities in its home routers and cloud services. The FTC noted that Asus frequently “did not address security flaws in a timely manner and did not notify customers about the risks posed by the vulnerable routers.” The settlement calls for Asus to establish and maintain a comprehensive security program and to undergo audits every two years for the next 20 years. [FTC] [eWeek] [SCMagazine] [The Register] [ComputerWorld]

RFID / IoT

WW – Obama’s National Action Plan on Cybersecurity Addresses IoT

The White House’s national action plan on cybersecurity addresses concerns about the security of the Internet of Things (IoT). According to the plan, the US Department of Homeland Security (DHS) is working with Underwriters Laboratories to develop a cybersecurity assurance program that could evaluate IoT devices before they go to market. [NextGov]

CA – OPC Releases Research Paper on Internet of Things

The OPC released a research paper titled ‘The Internet of Things (IoT): An introduction to privacy issues with a focus on the retail and home environments’, which examines the key privacy challenges posed by the IoT, such as customer profiling, accountability, transparency, and information security. The Paper assesses whether the definitions of both consent and personal information, as included in the current privacy regulation, are suitable for a ‘fast-developing online environment’ as the IoT. The Paper also considers various technologies used by the retail industry to monitor consumer behaviours, such as wearables and smartphone apps, and to connect the devices among them, namely cellular, Wi-Fi, Bluetooth, Near Field, communication and Radio-Frequency Identification. The Paper does not offer specific guidance to them or propose any new regulatory measures.” [Source]

WW – Microsoft, Cisco, Intel and others Form Open Iot Standards Group

Microsoft is leading a band of tech titans to found a new Internet of Things standards group. The Open Connectivity Foundation (OCF) will seek to define interoperability standards for the billions of internet-connected devices expected to arrive in the next few years. Up until now the OIC was in competition with the Allsee Alliance, another IoT standards group formed in 2013, with members such as Microsoft, Electrolux, and Qualcomm — all of whom are now part of the OCF. There’s also the two-year-old Industrial Internet Association formed by Intel, IBM, ATT, Cisco, and GE. [ZDNet]

WW – IoT: SimpliSafe Alarms Transmit Codes in Plaintext

SimpliSafe wireless home alarm systems are vulnerable to replay attacks.

The system’s keypad uses the same, unencrypted personal identification number each time it sends a message to the base station. Attackers could sniff the code, then replay it to trick the system into thinking that a home is secured when there is actually a break-in occurring. The microcontroller chips used in the system are write-once, which means they cannot be updated with firmware. SimpliSafe is used in more than 200,000 homes. [Ars Technica] [The Register]

Security

WW – Eliminating Browser Plugins Improves Security, Decreases Functionality

In an effort to improve security, browser makers have begun disabling plugins. Oracle said last month that it would end support for its Java plugin. The plugin will be “deprecated” in the next release version of Java Development Kit, which is scheduled for release next year. [eWeek]

US – California AG Says Not Adopting Critical Security Controls Indicates “Failure to Provide Reasonable Security”

A report from the California Attorney General’s Office includes recommendations for organizations to protect their systems from breaches. The “report clearly articulates basic steps that businesses and organizations must take to comply with the law, reduce data breaches, and better protect the public and our national security.” The report recommends organizations adopt the Center for Internet Security’s Critical Security Controls as the start of a comprehensive information security program. The Attorney General’s Office stated “not doing so would be indicative of an organization’s failure to provide reasonable security.” [Source] [SANS Critical Controls]

US – California Data Breach Report Identifies Exploited Flaws and Defines Legal Minimum Standard of Due Care for Cyber Security

The California Data Breach Report “provides an analysis of the data breaches reported to the California attorney general from 2012-2015.” In nearly all cases, the breaches exploited vulnerabilities for which fixes had been available for more than a year. California state law states, “A business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature if the information.” The report goes on to say that organizations that do not implement the Center for Internet Security’s (CIS) 20 Critical Security Controls would be found to demonstrate “a lack or reasonable security.” [NextGov] [NatLawReview]

WW – PwC Report: Cybercrime Second Most Reported Economic Crime

According to PwC’s Global Economic Crime Survey 2016, nearly one-third of organizations surveyed said they had experienced cybercrime. The report explains the surprisingly low percentage by noting, “the insidious nature of this threat is such that of the 56% who say they are not victims, many have likely been compromised without knowing it.” The report also found that just 37 percent of organizations have established a cyber incident response plan. “Many boards are not sufficiently proactive regarding cyber threats.” The report draws its statistics from responses from more than 6,000 organizations in 115 countries. [ZDNet] [Newsmarket]

US – IRS reports 400% increase in phishing& malware in the past 12 months

The US tax-filing season has only been under way for a month, but already the IRS is warning that it’s seen a 400% surge in phishing and malware compared with the previous tax year. Phishing messages are asking taxpayers about a wide range of sensitive information, including data related to refunds, filing status, confirmation of personal information, transcript orders and PIN verifications. The messages are rigged to look official, as if they came from the IRS itself or from others in the tax industry, such as tax software companies. The phishing attempts are being seen in every part of the country, the IRS says. [Source]

Surveillance

Texas – City Dumps License Plate Readers for Being “Big-Brotherish”

At the beginning of the year, the City of Kyle, Texas, approved a controversial agreement to install automated license plate recognition (ALPR) technology in its police vehicles. The devices would come at no cost to the city’s budget; instead, police would also be outfitted with credit card readers and use ALPR to catch drivers with outstanding court fees, also known as capias warrants. With each card swipe, an added 25% surcharge would go to Vigilant Solutions, the company providing the system. As an added bonus the company would also get to keep all the data on innocent drivers collected by the license plate readers—indefinitely. But before the license plate readers could even be installed, the Kyle city council voted 6-1 to rescind the order. The reason: public and media outcry over how the system would turn police into debt collectors and data miners. In late January, EFF published a report about Vigilant’s latest business scheme: licensing ALPR systems to law enforcement agencies for free, in exchange for their participation in what Vigilant calls its “Warrant Redemption Program.” In addition to the City of Kyle, the City of Orange and Guadalupe County in Texas had also signed similar deals. [EFF]

US Legislation

US – Obama Signs Bill Extending Privacy Protections to Allies

President Barack Obama signed legislation that would extend some U.S. privacy protections to citizens of allied countries and let foreigners sue the U.S. government if their personal data is unlawfully disclosed. The bill extending certain privacy protections was aimed at shoring up trust among European allies following leaks by former NSA contractor Edward Snowden. Obama said the new law makes sure data is protected under U.S. privacy laws, “not only American citizens, but also foreign citizens.” Even as the U.S. government works to protect American’s security, Obama said “we’re mindful of the privacy that we cherish so much.” Supporters say extending privacy protections helps ensure that other nations will continue sharing law enforcement data with the United States. [The Winnipeg Free Press]

US – Congress Looks to Boost Email Privacy; Increase Social Media Surveillance

While civil liberties advocates are encouraged by the House push to protect Americans’ emails, they are keeping a close eye on separate efforts by lawmakers to increase surveillance of social media. Earlier this month, the Senate Homeland Security and Governmental Affairs Committee approved the bipartisan Combat Terrorist Use of Social Media Act, which requires President Obama to develop a comprehensive strategy to counter terrorists’ use of social media. The Obama administration has been promising such a strategy since late 2011. [Source]

US – DC Introduces Bill Prohibiting Tracking of School Issued Devices

Bill 21-0578, Protecting Students Digital Privacy Act of 2016, was introduced and referred to the Committee on Education. Device location tracking technology cannot be used to track a device given to students unless the student has reported the device missing or stolen, a judicial warrant has been obtained or it is necessary to respond to an imminent threat to life or safety; students cannot be required to or coerced into providing usernames and passwords or providing any school personnel with access to personal social media accounts. [B21-0578 – Protecting Students Digital Privacy Act of 2016]

+++

 

 

15-21 February 2016

Biometrics

US – The American Government Plans to Scan Your Eyes at Border Crossings

The US government is using eye scans and facial recognition technology for the first time to verify the identities of foreigners leaving the country on foot — a trial move aimed at closing a long-standing security gap, officials announced. Before now, foreigners who left the country were rarely checked by U.S. authorities as they walked into Mexico or Canada through ports of entry. The checkout system that launched Feb. 11 at a busy San Diego border crossing with Mexico aims to ensure those who enter the country leave when their visas expire and identify those who violate that. Up to half of people in the U.S. illegally are believed to have overstayed their visas. Authorities are using the trial runs to determine which technology is the fastest, most accurate and least intrusive in screening people coming and going at all land crossings along the 3145-kilometre border with Mexico. Final results are expected this summer, with the goal of expanding the checks to all land, air and sea ports. Federal officials say they will not share or retain the data collected in the trial runs, but it is not clear how the information will be used if the program is adopted permanently. [Source]

Canada

CA – OIPC SK Unable to Determine if Employee Access to Individual’s Personal Information Was for Legitimate Purposes

The Saskatchewan IPC investigated a complaint alleging improper disclosure of personal information by an employee of Saskatchewan Government Insurance. The employee conducted a specific license plate search on a vehicle belonging to the individual; the individual argues that she has a contentious relationship with the employee, however the search was a typical part of the employee’s duties. The government agency must evaluate solutions to determine whether employee access is for legitimate business purposes. [Investigation Report 189-2015 – Saskatchewan Government Insurance]

CA – OIPC AB Upholds Educational Institution’s Disclosure of Student’s PI in the Course of a Conflict Resolution Process

This OIPC AB order investigated the alleged unlawful collection and disclosure of a student’s personal information by Bow Valley College pursuant to Alberta’s Freedom of Information and Protection of Privacy Act. An academic official reasonably communicated PI about one student in emails to 2 supervisors, to ensure that the students did not have contact with one another and to decide if further disciplinary action might be necessary; the student’s PI was secure because email messages remain only within the internal computer network (monitored for security threats, viruses and unauthorized access) and employees’ email accounts are password protected. [Order F2016-01 – Bow Valley College]

CA – Airlines Should Be Able to Exchange Info on Unruly Passengers: Air Canada

Air carriers should be allowed to share information about unruly passengers to help keep the skies safer, Canada’s largest airline says. A carrier can ban people with a history of disruptive behaviour from taking further flights with that airline, Air Canada notes in a submission to the federal government. But legislation does not permit airlines to exchange information about passengers, even when they believe them to be a safety risk to others. In the submission to a federal review of the Canada Transportation Act, Air Canada says safety “should always be first and foremost.” A report flowing from the review — likely to include some recommendations about air safety — is expected to be made public in coming weeks. The federal privacy commissioner’s office said it was unaware of Air Canada’s sharing proposal, had not studied the issue and could provide no comment at this time. [The Canadian Press]

E-Government

WW – New Tool from Nymity Aims to Simplify Privacy Management

Nymity announced its newest privacy management tool, the Nymity Planner. The “activity based” Nymity Planner “helps privacy offices operationalize compliance, document evidence and resources, delegate accountability, and ‘plan’ privacy management throughout the organization,” the report states. It also includes a GDPR add-on, so companies can consider GDPR compliance as they work to increase privacy protections in their organization. Nymity also has plans to include a Privacy Shield add-on. “The solution will prove to be highly valuable for those privacy officers who are looking to embed, manage, and report on structured privacy management across their organization,” said Nymity’s Constantine Karbaliotis, [GlobeNewswire]

E-Mail

CA – Update on CRTC CASL Compliance and Enforcement

On February 10, 2016, Lynne Perrault and Dana-Lynn Wood of the CRTC provided the latest in what is becoming a series of CASL briefings, as part of an “on-going dialogue” with industry. The CRTC now has a year and a half of enforcement experience under its belt for the Commercial Electronic Messages (CEMs) provisions of CASL, so this presentation focused on patterns and issues that have emerged in that period, and some guidance in response to those issues, including complaint statistics, priorities, and enforcement and other compliance issues. [Canadian Tech Law Blog] See also: [If you hate telemarketers, you’ll love this robot designed to waste their time]

Electronic Records

US – ONC: Patient Comfort Levels With EHRs, Data-Sharing On the Rise

A nationwide survey from Office of the National Coordinator for Health IT conducted between 2012 and 2014 indicates patients are growing more comfortable with electronic medical records and support data-sharing, though a summary from the agency notes that the survey took place before several major healthcare data breaches in 2015. Preserving patient trust is an essential part of establishing an interoperable health IT infrastructure. A study from the University of Wisconsin-Milwaukee and Dartmouth College based on the 2012 Health Information National Trends Survey found that 13% of respondents reported having withheld information from their provider because of privacy and security concerns. Privacy concerns can “crash” big data initiatives before they become useful, while the key to success lies in finding the right balance, experts said at a Princeton University event in April 2014. ONC data brief [FierceHealthIT]

Encryption

US – Apple Fights Order to Unlock San Bernardino Gunman’s iPhone

A debate pitting the government against tech companies has now come to a showdown after Apple CEO Tim Cook announced the company will not comply with a federal court order that it help the FBI unlock the iPhone of one of the San Bernardino shooters. In a win for the government, Magistrate Judge Sheri Pym ordered Apple to provide technical assistance to disable the phone’s password-wipe function — after 10 incorrect password attempts, the phone erases its data — so that authorities could “brute force” the phone’s password. Hours later, Cook announced the company would fight the order. In a message to Apple customers, the company wrote, “This moment calls for public discussion, and we want our customers and people around the country to understand what is at stake.” [The New York Times] See also: [Can the FBI Force Apple to Write Software to Weaken Its Software? ] [Why Apple Is Right to Challenge an Order to Help the F.B.I.] [Apple’s Line in the Sand Was Over a Year in the Making] [Who does Apple think it is? ] [Apple Said to Get More Time to Fight Order to Unlock IPhone ] [Why you should side with Apple, not the FBI, in the San Bernardino iPhone case ] [Here’s What The FBI Actually Asked Apple To Do It’s more complicated than it seems.] [No, Apple Has Not Unlocked 70 iPhones For Law Enforcement ] [Apple vs. The FBI: Questions Not Asked ] [Apple vs. the FBI: Facebook, Twitter, Google, John McAfee and more are taking sides ] [Apple backdoor court order being watched in Canada] [Read Apple’s unprecedented letter to customers about security] [Tech Reactions on Apple Highlight Issues with Government Requests] and finally: [In the Matter of the Search of an Apple iPhone Seized During the Execution of a Search Warrant on a Black Lexus IS300, California License Plate 35KGD203 – Order Compelling Apple Inc. to Assist Agents in Search – United States District Court For The Central District Of California

EU Developments

EU – Art WP29 Issues Surveillance Benchmarks

In its statement in response to the announcement of the new EU-U.S. Privacy Shield, the Article 29 WP enunciated “four essential guarantees,” derived from “jurisprudence,” that it is using to assess the protections provided to ensure intelligence surveillance respects fundamental rights. These are:

  1. Processing should be based on clear, precise and accessible rules: This means that anyone who is reasonably informed should be able to foresee what might happen with their data where it is transferred;
  2. Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated: A balance needs to be found between the objective for which the data is collected and accessed (generally national security) and the rights of the individual;
  3. An independent oversight mechanism should exist, that is both effective and impartial: This can either be a judge or another independent body, as long as it has sufficient ability to carry out the necessary checks;
  4. Effective remedies need to be available to the individual: Anyone should have the right to defend her/his rights before an independent body.

These four standards are almost identical to the essential safeguards under the EU legal order used in the Sidley Austin report, “Essentially Equivalent: A comparison of the legal orders for privacy and data protection the European Union and United States,” as a basis to compare surveillance laws in the United States and eight illustrative EU member states. [IAPP] [Article 29 WP – Statement on the 2016 Action Plan for the Implementation of the GDPR Work Programme | Action Plan]

UK – ICO Launches Tool to Help SMEs Assess Compliance

The UK ICO has launched a self-assessment tool to help small and medium organisations assess compliance with the Data Protection Act. The tool outlines obligations for registration of personal data processing, identification of individuals responsible for development, implementation and monitoring of data protection and information security policies, training of staff and disposal of personal data held; security measures should be established for effective malware defences, logging and monitoring of user and system activity, and detection of unauthorised access or anomalous use. [ICO UK – ICO Launches New Data Protection Self Assessment Tool for SMEs]

EU – Other News:

Facts & Stats

US – California Attorney General Releases Data Breach Report

Over the course of the last four years, the personal records of more than 49 million Californians were put at risk, according to a new data breach report from California Attorney General Kamala Harris. Between 2012 and 2015 there were 657 reported breaches, and three out of five state residents were victims of a data breach in just 2015 alone. The report includes information on the most common types of data breached, explains what types of breaches different industry sectors were most susceptible to, and provides recommendations to reduce the frequency and impact of future breaches. The report articulates basic steps that businesses and organizations must take to comply with the law, reduce data breaches, and better protect the public and our national security. The report also includes recommendations for businesses to better protect personal data and maintain “reasonable security.” [Source] [California Data Breach Report February 2016] [California Reports 49 Million Records Breached in Four Years]

Filtering

CA – Google Appeal of Worldwide Injunction Headed to Supreme Court

The Supreme Court of Canada has agreed to hear Google’s appeal of a worldwide injunction which critics warn could turn B.C. into a destination for ‘censorship tourism’. The tech giant is challenging a B.C. Supreme Court ruling made in relation to a Burnaby-based company’s bid to stop another firm from profiting from the sales of stolen technology. Google was a third party in the litigation, dragged into the case because Datalink relies on web search engines to attract potential customers. Google voluntarily removed 345 links from search results in Canada. But Equustek accused Datalink of playing ‘Whack-A-Mole’ by going international with its listings. Hence the worldwide injunction in 2014 from B.C. Supreme Court Justice Lauri Ann Fenlon. “The courts must adapt to the reality of e-commerce with its potential for abuse by those who would take the property of others and sell it through the borderless electronic web of the internet,” Fenlon wrote. “That (injunction) is necessary … to ensure that the defendants cannot continue to flout the court’s orders.” The ruling, which was upheld by the B.C. Court of Appeal, made headlines around the world. It’s one of a growing body of legal decisions struggling to balance rights and responsibilities of technology companies operating across global boundaries.

In agreeing to hear the case, Canada’s highest court defined those questions as follows:

  • “Under what circumstances may a court order a search engine to block search results, having regard to the interest in access to information and freedom of expression, and what limits (either geographic or temporal) must be imposed on those orders?”
  • “Do Canadian courts have the authority to block search results outside of Canada’s borders?”
  • “Under what circumstances, if any, is a litigant entitled to an interlocutory injunction against a non-party that is not alleged to have done anything wrong? [CBC] [Canadian courts wade into free-speech battle with worldwide injunction against Google]

FOI

NZ – Government Made 12,000 Privacy Requests to Just 10 Companies

The New Zealand privacy commissioner revealed that government agencies, including Inland Revenue, Police and Ministry of Social Development made nearly 12,000 requests for citizens’ personal information to only 10 companies from August to October 2015. This information was revealed as part of an Office of the Privacy Commissioner trial transparency program. The OPC further discovered that more than 1,000 information requests were incorrectly labelled as being made under the Privacy Act, which provides no mechanism for government agencies to make requests for personal information. The 10 companies voluntarily complied with the information requests approximately 96 percent of the time, which has left some lawyers and privacy advocates concerned that agencies were misleading companies by using clauses of the Privacy Act to compel sharing of personal information. [NZ Herald]

CA – IPC ON Orders Oshawa to Issue Decision Relating to Email by City Councillor

The Information and Privacy Commissioner in Ontario reviewed a decision by the City of Oshawa to deny access to records requested pursuant to the Municipal Freedom of Information and Protection of Privacy Act. Although the councillor is not an employee of the public body (elected members of a municipal council or not agents or employees of municipal corporations), the record is under the control of the public body; the contents of the record relate to a departmental matter and the public body could reasonably expect to obtain a copy of the record upon request. [IPC ON – Order Mo-3281 – The Corporation of the City of Oshawa]

Health / Medical

US – HHS Releases New HIPAA and Mobile Sharing Guidance

The Department of Health and Human Services’ Office for Civil Rights debuted new scenario-based guidance to help health care providers better understand how to protect patient data and comply with HIPAA on mobile devices. Privacy advocates are pleased. “This guidance is important since some developers still aren’t clear about whether they fall under HIPAA or not — that is, whether or not they are HIPAA-defined business associates,” said The Marblehead Group. The guidance is next in the agency’s “cyber-awareness initiative,” with a manual on HIPAA and cloud computing forthcoming, the report adds. [GovInfoSecurity]

CA – Debate Continues on Ontario Health Privacy Breach Law

A bill proposing to double the fines for violations of Ontario’s Personal Health Information Protection Act was a subject of debate at Queen’s Park in Toronto. Bill 119, the Health Information Protection Act, was tabled Sept. 16 by Liberal Health Minister Eric Hoskins. Among other things, Bill 119, if passed into law, would double the maximum fines for offences, under PHIPA, from $50,000 to $100,000 for individuals and from $250,000 to $500,000 for organizations,” said Indira Naidoo-Harris Liberal MPP for Halton and parliamentary assistant to Hoskins, at Queen’s Park Tuesday. Other changes proposed in Bill 119 “include making it mandatory to report privacy breaches as defined in regulation.” [Canadian Underwriter]

CA – Sask. Residents Can View Their Personal Health Care Information Online

500 Saskatchewan residents were invited to participate in a new pilot program offered by eHealth. The pilot allows residents to view their personal health information online through a secure website. So far, 232 residents have created accounts. The Citizen Health Information Portal (CHIP) pilot will include up to 1,000 participants from across the province. Throughout the six-month trial period, participants can view their personal lab results, immunization history, 25 months of prescription history and hospital visits from anywhere in the world. Participants can add their personal history to the record, including information about allergies and surgeries and medication reminders. Parents can access their children’s health-care information, and travellers can print their health information and take it with them on holidays. [Source] [Saskatchewan patient access to online health records requires big focus on security] [Debate continues on Ontario health privacy breach law]

Horror Stories

US – Ransomware Hits California Hospital

Computer systems at the Hollywood Presbyterian Medical Center in southern California have fallen prey to ransomware. The systems have been offline for more than a week. Employees were not able to access patient files and the hospital declared the situation an internal emergency. The FBI, the L.A. Police Department, and cyberforensics experts are investigating. The attackers have demanded a ransom of 9,000 Bitcoins (approximately US $3.6 million) While the organization is dealing with the attack, its network is offline and “staff are struggling to deal with the loss of email and access to some patient data.” Some patients have also been transferred to other hospitals because of the attack, and registrations and medical records are currently being logged on paper. Meanwhile, a new study by the Cloud Security Alliance and Skyhigh has found that cybersecurity insurance makes companies more likely to pay in ransomware attacks. [CSO Online] [ZDNet] [ComputerWorld] [BBC] UPDATE: [LA Hospital Pays Hackers Nearly $17,000 To Restore Computer Network]

Internet / WWW

US – Google Says it Tracks Personal Student Data, But Not for Advertising

What does Google do with the personal information it collects from children who use Google products at school? Google provided some answers in a seven-page letter to Sen. Al Franken (D-Minn.), the ranking member of the Judiciary Subcommittee on Privacy, Technology and the Law. Google does not use K-12 students’ personal information to serve targeted advertisements, but Google does track data from students for other reasons, including developing and improving Google products. Such tracking happens when students are signed into their Google Apps for Education account but are using certain Google services — such as Search, YouTube, Blogger and Maps — that are considered outside Google’s core educational offerings. Thousands of K-12 schools and universities — and more than 30 million students and teachers — use Google’s Apps for Education, which the company provides to schools free of charge. Franken said that Google’s response was “thorough,” but said he will seek further clarification from Google about some of its privacy policies regarding student data. UC Berkeley students sue Google, alleging their emails were illegally scanned [The Washington Post]

US – 90% of Enterprises in U.S. to Increase Annual Spend On Cloud Computing

A new survey out of the U.S. identifies a cloud computing spending pattern – 90% of respondents say their companies plan to increase or maintain related budgets – that signals a growth opportunity for providers. Cloud service providers are advised to target opportunity in enterprise market, Washington, D.C.-based B2B research firm Clutch suggested in releasing its 2016 Enterprise Cloud Computing Survey last week. [Canadian Underwriter] See also: [Privacy, power concerns drive Canadian data center growth]

Law Enforcement

CA – Group’s Efforts to Review Ottawa Police Sexual Assault Cases Falls Flat

The Ottawa Police Service denied a group’s request to have full disclosure in reviewing sexual assault cases, citing privacy concerns as the main reason. Scassa, a law professor and member of the external advisory committee of the Office of the Privacy Commissioner of Canada, said the (external audit) model could be adopted in Ottawa if the advocates who review cases sign confidentiality agreements. The group that has been lobbying the Ottawa police to adopt the model said they would be willing to do that. “There’s nothing in Ontario privacy law that stops the police here from doing the same thing,” said Scassa. “I think there is a great tendency to use privacy as an excuse for not doing things, or for government institutions to use privacy as an excuse for not doing things they don’t want to do.” [MetroNews]

CA – Ontario Privacy Laws Hamper Social Agencies

The head of a St. Catharines social agency says more missing adults in Ontario could be found if government legislation did not prohibit sharing personal information with family members. “They have rights and responsibilities within the Mental Health Act that precludes us from going and taking them and forcing them into a situation that they’re not comfortable with.” Souter says it is important to respect the privacy of all people, but rules around confidentiality often put an individual at odds with his or her family. [CBC] [Ontario man missing 30 years suddenly remembers own identity] SEE ALSO: [B.C. privacy laws slow efforts to find, compensate children of missing women]

Location

CA – Waterloo Deploys ALPR on Delinquent Parkers

Delinquent parkers beware: it’s going to get a lot harder to dodge a parking ticket if you overstay your welcome in Waterloo’s free parking zones. A new license plate recognition vehicle will begin patrolling the streets in March. The vehicle will use specialized cameras to scan licence plates, capture the GPS coordinates of the vehicle and capture a before and after image of the vehicle’s wheels. It’s an initiative the city has been working on since 2011, said Waterloo’s manager of compliance and standards. Mulhern says part of why it took five years to get the program off the ground was the city’s dedication to ensuring all possible privacy concerns had been addressed. He said the city worked with the privacy commissioner to make sure the system was set up correctly and that data would be stored securely and for no longer than necessary. Labouring over those kinds of details seems to have paid off. When contacted by the CBC, Ontario Civil Liberties Association executive director Joseph Hickey said it appeared the city had addressed privacy concerns, and “therefore this is a minor issue for us.” The city plans to hold an open house Thursday at RIM Park from 12 to 8 p.m. for the public to see the new parking control system and ask questions. [CBC]

Privacy (US)

WW – EY Releases Report on Privacy Trends for 2016

EY has now released a report on privacy trends in 2016, called “Can privacy really be protected anymore?” Of those surveyed, nearly half said they were concerned with having a clear picture of where personal information is stored outside the organization’s systems and services. Additionally, nearly 40% expressed concern that there are not enough people to support their privacy program. “As the onus of accountability shifts from regulators to organizations,” the report states, “organizations need to take heed of where they are in terms of their privacy maturity and what they need to do to make privacy protection part of everything in an organization.” [Source]

US – Tech Company Settles FTC Charges for Installation of Apps Without Consumer Knowledge or Consent

General Workings Inc. entered into a settlement agreement with FTC for alleged violations of section 5(a) of the FTC Act. The company replaced a popular app with its own software program that automatically approved default permissions requests associated with apps that were then installed on consumers’ desktops and mobile devices; the company must delete all consumer personal information in its possession, custody or control, inform consumers of the types of information that will be accessed and display any permissions notice or approval requests prior to installation of the app. [FTC Settlement Agreement with General Workings Inc and Ali Moiz and Murtaza Hussain – File 152-3159] [Press Release] [FTC Complaint]

US — Privacy Owes Much to Attorneys General: Report

The University of Maryland Francis King Carey School of Law’s Danielle Keats Citron argues that state attorneys general are the unsung heroes of developing privacy law in her new research that has been posted to the Social Science Research Network, entitled “Privacy Enforcement Pioneers: The Role of State Attorneys General in the Development of Privacy Law.” In it, she writes, “Accounts of privacy law have focused on legislation, federal agencies, and the self-regulation of privacy professionals,” adding, “Crucial agents of regulatory change, however, have been ignored: the state attorneys general.” According to the SSRN abstract, “this article is the first in-depth study of the privacy norm entrepreneurship of state attorneys general.” [Full Story]

US – Tech firms Unite to Form Cybersecurity Coalition

Seven cybersecurity firms banded together to create the Coalition for Cybersecurity Policy and Law, a group committed to developing an online privacy framework with legislators. Cisco, Intel, Arbor Networks, Microsoft, Oracle, Rapid7 and Symantec are the organizations represented in the coalition, which was “founded on three major principles: stimulating the cybersecurity marketplace; encouraging cybersecurity innovation,” and encouraging other companies to embrace cybersecurity from the ground up. “The members of this Coalition are dedicated to building our nation’s public and private cybersecurity infrastructure, and their insight and engagement must play a vital role in the decisions being made by our government on cybersecurity policy,” said Venable’s Ari Schwartz, who serves as the coalition’s coordinator. [FedScoop]

NZ – Nudist Resort Removes Photos of Judge from Site

An unnamed judge recently spent time at the Pineglades Naturist Club in Rolleston where he was photographed lounging and playing games in the nude. The club had posted photos of the naked judge online for promotional purposes. However, the photos were removed from the club’s website after the newspaper made inquiries into them. The Guidelines for Judicial Conduct warn that a judge attracts more attention and scrutiny than most members of the community, so they should accept some restrictions on conduct and activities. The judge is unlikely to be punished though as there are no disciplinary mechanisms for enforcing the guidelines. [The New Zealand Herald]

Security

US – Cyber Threat Information Sharing Guidelines Released by DHS

This week, the Federal government took the first steps toward implementation of the Cybersecurity Information Sharing Act (CISA), enacted into law last December. CISA aims to encourage sharing of cyber threat indicators and defensive measures among private companies and between the private sector and the Federal government by providing liability protection for sharing such information in accordance with the Act.  The DHS Federal Register notice was published this morning here. As required by the Act, the government has released four pieces of guidance designed to assist companies and Federal agencies with respect to sharing, receiving and handling cyber threat information.

WW – Study: Leaked data quickly gobbled up in the Dark Web

Bitglass’ second annual “Where’s Your Data” study found that within “a few days” of leaking false user data, the information was accessed via the Dark Web in “20 countries and multiple continents.” “In total, the team tracked over 1,400 visits to the fake credentials, in addition to the fictitious bank portal,” the report states. The findings are evidence of the need for companies to properly protect their personal information. “Organizations need a comprehensive solution that provides a more secure means of authenticating users and enables IT to quickly identify breaches and control access to sensitive data.” [ZD Net]

Smart Cars

US – Verizon’s “Hum” Device for Your Car Will Rat Out Speeding Teens, Wandering Spouses

The $15/month Verizon “hum” service was originally launched to collect vehicle diagnostics, connect users to roadside assistance, provide maintenance reminders. But this morning Verizon announced that it will be adding a slew of new features for the hum, including: boundary alerts, speed alerts, vehicle location, and driving history. [The Consumerist] SEE ALSO: [Marc Garneau: Canada’s Senate To Study Rules Surrounding Driverless Cars]

Surveillance

WW – 519070 or Blank: The PINs that Can Pwn 80k Online Security Cams

Researchers say up to 80,000 digital video recorders (DVRs) used to record footage from surveillance cameras employ hardcoded passwords – or don’t use one at all – opening avenues for attackers to breach home and business networks and compromise privacy. In one examination, at least 46,000 DVRs were found open to remote hijacking through a hardcoded firmware username and password. Risk-Based Security chief researcher Carsten Eiram says most of the exposed cameras are operating in the US followed by the UK, Canada, Mexico and Argentina.  [The Register]

Telecom / TV

US – Coalition Calls FCC Set-Top-Box Proposal ‘An Assault’ On Privacy

Privacy advocates continue to criticize the Federal Communications Commission’s proposal for new set-top-box TV guidelines, calling them both “an assault on consumer privacy” and an outlet that lets “privacy scofflaws like Google” obtain greater swaths of user data, the Future of TV Coalition said. While FCC Chairman Tom Wheeler maintains the guidelines would have privacy protections, the advocacy group argues the overreaching consequences are too immense. “The Chairman’s approach creates a gaping hole in consumer privacy where none exists today, and leaves our personal viewing histories at the mercy of vast businesses built almost entirely on mining, exploiting, and profiling our personal data,” the Future of TV Coalition said. [MediaPost] [Lawmakers weigh in on FCC set-top box changes]

US Government Programs

US – Interim Guidelines for Cybersecurity Act Released by DHS

The Department of Homeland Security published interim guidelines that illustrate how the agency will collect data under the Cybersecurity Act of 2015. The act-mandated move was an attempt to assuage critics of the legislation, who fear it will conclude with even more citizen data collected by the agency. “We know many cyber intrusions can be prevented if we share cyber threat indicators,” said DHS Secretary Jeh Johnson. “Sharing this kind of information in real-time, and swiftly applying defensive measures, will allow both the government and private sector to more effectively prevent attacks.” The agency has until June to complete a more formal privacy guideline. [The Hill]

US Legislation

US – Roundup:

Workplace Privacy

US – Bosses Tap Outside Firms to Predict Which Workers Might Get Sick

In an attempt to curb the cost expended for health care, companies like Wal-Mart are employing data mining groups to analyze employee information that identifies those with potential health risks. “Companies say the goal is to get employees to improve their own health as a way to cut corporate health care bills,” the report states, but “privacy experts worry that management could obtain workers’ health information, even if by accident, and use it to make workplace decisions.” [Wall Street Journal] [US: Bosses Harness Big Data to Predict Which Workers Might Get Sick]

 

 

+++

 

 

08-14 February 2016

 

Canada

CA – OPC Wants Info on Agency Tracking Peaceful Protests

Canada’s privacy watchdog wants more information on a central government agency keeping tabs on peaceful protests. Privacy commissioner Daniel Therrien’s office has asked the Government Operations Centre (GOC) to review its tracking of lawful protest and dissent. The GOC provides 24/7 “situational awareness” for the federal government, and is supposed to help co-ordinate Ottawa’s response to natural disasters or threats to infrastructure. But in late 2014, it was revealed the GOC has collected information on more than 800 peaceful protests, demonstrations and academic panels since 2006. Documents tabled in Parliament in 2014 showed the GOC had information on events like a rally for veterans on Parliament Hill, a public panel discussion in Toronto on the oilsands, and a number of vigils and marches for missing and murdered indigenous women. In June 2014, the Ottawa Citizen reported that the GOC asked government departments for help in compiling a “comprehensive listing of all known demonstrations” across the country. The revelations drew the ire of the Liberals while in opposition. [The Star]

CA – Premier’s Office in Nova Scotia Broke Law, Privacy Czar’s Report Finds

The office of Nova Scotia Premier Stephen McNeil broke privacy laws when chief of staff Kirby McVicar publicly released sensitive medical information about a former cabinet minister, the province’s privacy commissioner says. McVicar resigned Nov. 24 after stating in several media interviews that Andrew Younger had a brain tumour and had been diagnosed with post-traumatic stress disorder. In a report released Thursday, privacy commissioner Catherine Tully concluded that McVicar violated provisions of the Freedom of Information and Protection of Privacy Act. “The report finds that the disclosure is a breach of the privacy rules,” the report says, though there is no mention of penalties or further investigation. McNeil, speaking after a cabinet meeting, challenged Tully’s main conclusion, saying his office was not to blame because McVicar took sole responsibility for his actions. [Source] [CBC: NS OIPC rules premier’s former chief of staff violated law]

CA – Ontario Professionals Obligated to Share Info About “At Risk” Children

The Information and Privacy Commissioner of Ontario has issued a guide for disclosure of information to child protection workers. Individuals with reasonable grounds to suspect a child is need of protection must immediately report the suspicion to a children’s aid society even if the information is confidential or privileged and despite provisions of any other act; institutions and custodians are protected from liability if they act in good faith and do what is reasonable under the circumstances. [IPC ON – Yes You Can – Dispelling the Myths About Sharing Information with Childrens Aid Society]

E-Mail

WW – Gmail Now Warns Users When They Send and Receive Email Over Unsecured Connections

Google is introducing new authentication features to Gmail to help better identify emails that could prove to be harmful or are not fully secure. The company said last year that it would beef up security measures and identify emails that arrive over an unencrypted connection and now it has implemented that plan for Gmail, which Google just announced has passed one billion active users. Beyond just flagging emails sent over unsecured connections, Google also warns users who are sending. Gmail on the web will alert users when they are sending email to a recipient whose account is not encrypted with a little open lock in the top-right corner. That same lock will appear if you receive an email from an account that is not encrypted. Last year, Google said that 57% of messages that users on other email providers send to Gmail are encrypted, while 81% of outgoing messages from Gmail are, too. Another measure implemented today shows users when they receive a message from an email account that can’t be authenticated. If a sender’s profile picture is a question mark, that means Gmail was not able to authenticate them. Authentication is one method for assessing whether an email is a phishing attempt or another kind of malicious attack designed to snare a user’s data or information. [TechCrunch] [Google Gmail Help]

Encryption

US – Lawmakers Seek to Loosen Encryption on Smartphones

A fight over encryption-protected smartphone data is heating up in California and New York where lawmakers and law enforcement groups are pushing bills to enable investigators to unscramble data to obtain critical evidence in human trafficking, terrorism and child pornography cases. The bills seek to loosen the powerful encryption tools major cell-phone manufacturers have put in place to protect a smartphone user’s privacy and guard against hacking. Supporters argue law enforcement needs access to data that can help them prove or solve criminal cases, while technology and privacy groups are concerned the legislation would put a user’s personal information at risk. [SF Chronicle] [Sen. Feinstein Says Terrorists Only Need The Internet and Encryption To Attack] [US Congress locks and loads three anti-encryption bullets] [Bill Would Ban State Efforts to Weaken Encryption]

US – New Bill Aims to Stop State-Level Decryption Before It Starts

Over the last several months, local legislators have embarked on a curious quest to ban encryption at a state level. For a litany of reasons, this makes no sense. And now, a new bill in Congress will attempt to stop the inanity before it becomes a trend. California Congressman Ted Lieu has introduced the “Ensuring National Constitutional Rights for Your Private Telecommunications Act of 2016,” which we’ll call ENCRYPT. It’s a short, straightforward bill with a simple aim: to preempt states from attempting to implement their own anti-encryption policies at a state level. We’ve outlined the reasons that a patchwork of state anti-encryption laws makes no sense before, but it’s worth a quick recap. Lieu himself considers there to be three main issues with allowing government backdoors generally. (He’s also, for what it’s worth, one of four sitting Congressman with a computer science degree). [WIRED]

WW – Report: A Worldwide Survey of Encryption Products

A report from Bruce Schneier, Kathleen Seidel, and Saranya Vijayakumar says that mandating backdoors in encryption products would hinder competitiveness for those countries while having little effect on criminals intent on using encryption products that are free of such weaknesses. “Anyone who wants to evade an encryption backdoor in US or UK encryption products has a wide variety of foreign products they can use instead.” [Schneier] [ArsTechnica] [The Register] [NBC News]

EU Developments

EU – WP29 Lays Out 2016 Action Plan for GDPR Implementation

Last week, the Article 29 Working Party published the group’s action plan for the implementation of the General Data Protection Regulation. The Privacy Advisor shares commentary from Falque-Pierrotin during last week’s presser and looks into the official release by the WP29 of its four action plan items, which include the establishment of a European Data Protection Board, preparation for a one-stop shop and consistency mechanism, guidance for controllers and processors, and the creation of an online communication tool around the EDPB and GDPR. [IAPP]

UK – Snooper’s Charter Given Thumbs Up by UK Parliament Report

The UK parliament has published a joint committee report that only feebly challenges the government’s draft Investigatory Powers Bill. In contrast to the scathing report by the Intelligence and Security Committee report published earlier this week, the joint committee accepts nearly all the arguments of the government and intelligence services for wide-ranging and intrusive surveillance powers. In response to the controversy and criticisms of the proposed Snooper’s Charter, the report simply says: “The public debate over these powers is a healthy one, and the Home Office should ensure that it and the security and intelligence agencies are willing to make their case strongly in the months ahead.” In the main, the joint committee calls for only minor tweaking of the plans, but does recommend that a post-legislative review of the Snooper’s Charter should be made five years after it has been enacted. It also wants it to be illegal to ask foreign agencies like the NSA to undertake surveillance that UK intelligence agencies are not authorised to undertake themselves. [Ars Technica] [UK politicians green-light plans to record every citizen’s internet history But recommend that no encryption backdoors should be installed] [Parliamentary Watchdog Savages Snoopers’ Charter: ‘Inconsistent and largely incomprehensible’]

EU – Facebook Ordered to Stop Tracking Non-Users in France

In a 16-page ruling issued this week, France’s CNIL found fault with data collection by Facebook at its own site, and at the sites of outside publishers with “Like” buttons. “While the purpose claimed by the company may seem legitimate (ensuring the security of its services), collecting data on browsing activity by non-account Facebook holders on third-party websites is carried out without their knowledge.” The regulator also said that Facebook violates EU privacy law by placing cookies on the computers of visitors to Facebook.com without first obtaining their consent. Last year, authorities in Belgium also ordered Facebook to stop tracking non-users. Several weeks later, Facebook began preventing non-account holders in Belgium from accessing Facebook.com. In the past, anyone in that country could access many Facebook pages found through search engines, including pages for small businesses, sports teams, celebrities and tourist attractions. The CNIL also said in its ruling that Facebook can’t send data about EU citizens to U.S. servers, due to a ruling last October that invalidated an agreement that enabled the data transfers. While EU and U.S. authorities recently negotiated a new agreement, it has not yet been finalized. [MediaPost] [French data privacy regulator cracks down on Facebook]

UK – UK and US Negotiating on Wiretap Orders and Warrants

US and UK negotiators are working toward an agreement that would allow MI5 to serve US companies with wiretap orders for communications of British citizens in counterterrorism investigations. The arrangement would also allow Britain to serve orders for stored data. The draft proposal would allow MI5 to access data stored on overseas computers that are run by American organizations. The proposal would allow US intelligence the same access in the UK. [The Register] [Wash Post]

Facts & Stats

UK – Data Breaches led 3 Million Brits to Switch Service Provider

In the UK, three million Brits have changed service providers as a direct result of data breaches, according to new research a by Privitar. Concerns over how personal data is stored, used and ultimately protected have led to growing discomfort among consumers, with findings suggesting that perceptions about how well organizations safe-guard their data is a significant consideration when customers are choosing a service. Despite this, more than half (52%) of the 2018 adults surveyed admitted that they struggle to find out how their data is stored and used by companies. With the GDPR due to be implemented across the industry in the coming months it appears companies are faced with the challenge of acting on data privacy and protection to win customer trust, thus avoiding customer churn. After all, 83% of respondents said they would look to switch to another service if they felt it could manage their data better.  [Infosecurity]

Filtering

EU – Google to Scrub Web Search Results More Widely to Soothe EU Objections

Google will start scrubbing search results across all its websites when accessed from a European country to soothe the objections of Europe’s privacy regulators to its implementation of a landmark EU ruling, a person close to the company said. To address the concerns of European authorities, the Internet giant will soon start polishing search results across all its websites when someone conducts a search from the country where the removal request originated, a person close to the company said. That means that if a German resident asks Google to de-list a link popping up under searches for his or her name, the link will not be visible on any version of Google’s website, including Google.com, when the search engine is accessed from Germany. [Reuters] [New York Times] [Google to honor RTBF requests worldwide, for European users]

Finance

UK – National Financial Crime ‘Taskforce’ Launched

The UK’s largest retail banks have joined forces with the Home Office, Bank of England and police to develop a coordinated approach to tackling fraud. Project Sunbird, a collaboration between the Western Australian Police and Western Australian government’s Department of Commerce, is able to analyse international transaction data to detect patterns consistent with fraud and pro-actively reach out to individuals who may have been victims. The new Joint Fraud Taskforce’s early work will focus on improving intelligence-sharing between the financial sector, government and law enforcement, in order to prevent fraudsters from exploiting gaps and vulnerabilities. It will also help to raise public awareness through a list of the 10 ‘most wanted’ fraudsters, and work to establish “a much richer understanding of how fraud happens, and what can be done to stop it”, according to the UK home secretary. Members of the taskforce include the City of London Police, National Crime Agency, the Bank of England, fraud prevention body Cifas, from Financial Fraud Action UK (FFA UK) and the chief executives of the major banks. The new taskforce will report to the Home Office, as well as publishing public updates, the home secretary told MPs. [Source]

Genetics

CA – Senate Bill Prohibits Employers from Taking Disciplinary Action for Employee Refusal to Disclose Genetic Test Results

Bill S-201, An Act to Prohibit and Prevent Genetic Discrimination has received second reading and been referred to the Standing Senate Committee on Human Rights. An employee’s refusal to undergo or disclose the results of a genetic test cannot be used to dismiss, suspend, demote or lay off an employee, impose any penalty on an employee, refuse remuneration, or threaten to take disciplinary action against an employee; no individual can disclose to an employer that an employee had undergone a genetic test or the results of an employee’s genetic test without written consent. [Bill S-201 – An Act to Prohibit and Prevent Genetic Discrimination – Senate of Canada]

Health / Medical

CA – Insurance Company Offers Rebates for Healthy Lifestyle

A Canadian insurance company is set to offer a new insurance program that rewards policy holders for healthy lifestyle choices such as regular exercise, getting an annual health screening or a flu shot. Ontario-based insurance giant Manulife is partnering with Vitality Group to bring the program to Canada, after rolling out similar systems in parts of Africa, Asia and the United States. The company said sign-up process is similar to many insurance policies, in that applicants take an online test to determine their level of overall health and then are offered a premium. Policy holders who enroll in the program receive personalized health goals and can log their activities using online and automated tools, which are integrated with the latest wearable fitness-tracking technology such as Fitbit, Manulife said. Officials at the Office of Canada’s Privacy Commissioner said while they have not studied the insurance product offered by Manulife, they would encourage people to carefully consider the potential implications before sharing any personal information – especially sensitive information. [Source]

US – Privacy Advocates Left Out Of NHS Care.Data ‘Oversight’ Board

Privacy advocates have been secretly expelled from the NHS’s care.data discussions group, while lobbyists backed by biotech corporations have kept their places at the table. The care.data Advisory Group was established in March 2014, after the scheme’s first collapse, as part of a process to get care.data – which intends to centralise patients’ health and social care data so it can be packaged and sold to private corporations – up and running again. A recent study into the scheme carried out by the University of Cambridge found that care.data was “launched in a contradictory regulatory landscape” and wracked with “unrealistic expectations” regarding the potential for patient health and social care data to be sufficiently anonymised when shared. [The Register]

US – Administrative Law Judge Affirms OCR Authority to Enforce HIPAA

An administrative law judge has upheld the authority of the Office for Civil Rights of the Department of Health and Human Services to enforce HIPAA regulations and impose fines, the second time a judge has made such a ruling in OCR’s favor. The decision means Lincare, a healthcare provider of respiratory care, infusion therapy and medical equipment to in-home patients, will have to pay $239,800 in civil money payments for an incident in which patient records were left unsecure. In the case, OCR charged that a Lincare employee took 278 patient records home and later left the records in the house after moving to live elsewhere. Another person who had lived in the home with the employee later found the records. An OCR investigation found that Lincare employees, who provide healthcare services in patients’ homes, regularly removed patient information from the company’s offices. “Further evidence indicated that the organization had an unwritten policy requiring certain employees to store protected health information in their own vehicles for extended periods of time,” the agency reported. “Although aware of the complaint and OCR’s investigation, Lincare subsequently took only minimal action to correct its policies and procedures and strengthen safeguards to ensure compliance with the HIPAA rules.” OCR reported that Lincare denied violating HIPAA, contending that patients’ protected health information was “stolen” by the individual who found the records in the home. In the ensuing court case, the administrative law judge ruled that Lincare was obligated to take reasonable steps to protect PHI. [Source] [Press Release | Notice of Proposed Determination | Decision]

Horror Stories

CA – Thermal Imaging May Lower Power Bill, But Raises Privacy Concerns

The City of Vancouver is beginning a new program that uses thermal imaging to identify older homes that are using excess energy. WATCH: Thermal imaging has been helping homeowners figuring out where they’re losing heat, so they can reduce their power bill, but it’s also adding concerns about a possible invasion of privacy. Beginning in April, the plan is to take images of up to 15,000 homes and then work with about 3,000 homeowners to make their spaces more green, by offering consultation and incentives. Higgins says the cameras can only detect heat, and the photos will only be shared with the homeowner. Once the 18-month pilot project is over, the images will be destroyed. [Global News]

US – Thieves Steal Tax Information from the IRS

The Internal Revenue Service was the target of an attack that used stolen social security numbers and other taxpayer data to obtain PINs that can be used to file tax returns electronically. The attack occurred in January and targeted an IRS Web application that taxpayers use to obtain their so-called Electronic Filing (E-file) PINs. The app requires taxpayer information such as name, Social Security number, date of birth and full address. Attackers attempted to obtain E-file PINs corresponding to 464,000 unique SSNs using an automated bot, and did so successfully for 101,000 SSNs before the IRS blocked it. The personal taxpayer data used during the attack was not obtained from the IRS, but was stolen elsewhere, the agency said in a statement. The IRS is notifying affected taxpayers via mail and will monitor their accounts to protect them from tax-related identity theft. [Source]

Internet / WWW

UK – Privacy Watchdog Warns That IoT Devices Can Track People

The UK ICO has told manufacturers of Internet of Things devices they should make better attempts to notify people that data could be collected on them. Simon Rice, technology group manager at the ICO, said that the IoT industry has to comply with data protection when collecting personal data. There could arguably be some confusion over what constitutes personal data and Rice set out a few examples of where data is personal and where it isn’t. What definitely is personal data are Mac addresses used in smartphones. “An IPv6 address could be personal as it would be specific to that device,” he said. He added that even if individual identification is not the intended purpose, the implications of IoT for privacy and data protection are still significant. [Source] See also: [IoT Could Be Used To Spy, Admits James Clapper] and [US intelligence chief: we might use the internet of things to spy on you]

WW – Data Security Concerns Remain Top Obstacle to IoT Initiatives

Despite the rapid growth of the Internet of Things, concerns over data security remain the number one obstacle to further development. That is the conclusion of a recent study by TEKsystems on the state of Internet of Things (IoT) initiatives. More than 200 IT and business leaders were polled by the Hanover, MD-based firm on project ownership, implementation status, risks, required skill sets and organizational preparedness. The purpose of this survey was to gain a better understanding of how organizations are being impacted by IoT, steps they are taking to prepare, resource barriers and challenges, as well as long-term IoT objectives. Key findings from the study are:

  • While 55% expect IoT initiatives to have a ‘transformational’ or ‘significant’ impact
    – just 22% of IoT initiatives have progressed to the implementation stage.
  • Information security and ROI are cited as the biggest hurdles to address
    – and information security experts are cited as the most difficult skill set to find.
  • Leadership of IoT initiatives still mostly reside with IT.
  • Two-Thirds expect IoT projects to be handled with internal staff, yet most organizations are not highly confident in their “in-house” preparedness [Source]

WW – IoT from “Sensor-to-Insight” to “Sensor-to-Action”

A few months ago, we passed an important milestone: For the first time in history, the mobile network traffic between machines had a higher volume than the mobile network traffic between humans. Imagine that… Internet-of-Things traffic surpasses the traffic generated by selfies, pictures of cute cats, text messages as well as all voice traffic in our mobile networks! Internet-of-Things has been a hot and exciting topic for quite a while, but now we see an important development that accelerates the IoT revolution: For a long time, the most common application for IoT has been to collect data. Sensors on various devices and machines have generated data, we have used clever technology to gather this data, send it to some central system and make sense of it. Let us call it “from Sensor to Insight”. What we see now is that we still gather data from remote devices and sensors, but the data can be used to trigger action. To execute business processes. Or influence already running processes. The focus of Internet-of-Things is moving, from “Sensor-to-Insight” to become “Sensor-to-Action”. [Source] See also: [FTC in no rush to regulate Internet of Things] See also: [Visceral data: After heartbreak, IoT devices give us ‘something to show’ ]

WW – GSMA Unveils IoT Security and Privacy Guidelines

The GSMA released guidelines designed to promote secure Internet of Things (IoT) service development and deployment, a sign that the mobile industry acknowledges a growing cybersecurity threat, as well as burgeoning consumer wariness around data privacy and IoT. The document was developed through consultation with the mobile industry. The rapid growth in IoT take-up increases the possibility of potential vulnerabilities, according to the GSMA. “These can be overcome if the end-to-end security of an IoT service is carefully considered by the service provider when designing their service and an appropriate mitigating technology is deployed.” The guidelines have been designed for all participants in the IoT ecosystem including service providers, device vendors and developers. As well as helping providers to build secure services from the outset, the guidelines also establish the need for assessing the risk of all components in an IoT service to ensure they are designed for secure data collection, storage and exchange. The guidelines went through a consultation with academics, analysts and other industry experts. [Mobile World]

Law Enforcement

US – New Report Shows the Limits of Police Body Cameras

The Brennan Center has just completed a study of the body camera policies in the 24 police departments around the country [PDF version] that have so far implemented them. Of the 24, 9 programs are still in the pilot stage. For comparison, the Brennan Center also included three model programs from the ACLU, the International Association of Chiefs of Police, and the Police Executive Research Forum. The authors of the study then broke the policies down into several charts, “Recording Circumstances,” “Privacy and First Amendment Protections,” “Accountability,” “Retention and Release,” and “Security.” [Wash Post] See also: [Survey: Almost All Police Departments Plan to Use Body Cameras] and [A separate effort by the Leadership Conference on Civil and Human Rights, a coalition of different advocacy groups, is tracking implementation of recommended body camera polices across 25 police departments].SEE ALSO: [Missouri Bill Permits Access to Recordings from Law Enforcement Body Worn Cameras: House Bill 2344, relating to body worn cameras and amending Missouri Revised Code in relation to public records, is introduced and read for a second time]

US – Nebraska Bill Permits Govt Use of ALPR Systems Subject to Restrictions

Legislative Bill 831, the Automatic License Plate Reader Privacy Act, is introduced and referred to the Judiciary Committee. Captured license plate data may only be used by specified law enforcement agencies for specified purposes (e.g. traffic violations, missing persons, stolen vehicles, criminal investigations, electronic toll collection, and controlling access to secured areas); law enforcement may only process privately held plate data no more than 14 days old and subject to a criminal warrant or court order. [Legislative Bill 831 – Automatic License Plate Reader Privacy Act – 104th Legislature of Nebraska]

Other Jurisdictions

WW – Privacy Bar Section of the IAPP Unveiled

IAPP has announced the launch of its Privacy Bar Section, which aims to serve the lawyers that compose more than forty percent of IAPP’s membership. In conjunction, the IAPP has also applied to the American Bar Association to have its privacy certification officially recognized as a legal specialty. [IAPP]

Privacy (US)

US – Obama Establishes ‘Cyber Czar’ and New Privacy Board

President Barack Obama is asking Congress to devote $19 billion to cybersecurity and is issuing new executive orders geared at the protection of both government and private computer networks. In one executive order, Obama directed agencies to implement the Cybersecurity National Action Plan. The CNAP is the broad plan that includes establishing the office of a federal chief information security officer, making budget requests and focusing on training opportunities. The federal chief information security officer marks the first time a senior official will be dedicated solely to developing, managing and coordinating the government’s cybersecurity strategy across multiple agencies, a “cyber czar” of sorts. A separate executive order will create the Federal Privacy Council, which is a multi-agency task force charged with coming up with policies to help the government fight hackers or identity thieves, while also protecting the privacy of individuals. The privacy council will report directly to the president. [The Blaze] [White House Executive Order on Privacy Falls Short]

US – ACLU, Tenth Amendment Center Take on Student Data Privacy

In consultation with the center — a think tank that advocates strict limits on federal power — the ACLU wrote model legislation that both organizations are urging legislators around the country to support. Parts of the bills aimed at bolstering student-privacy protections were written to ensure that “schools don’t become a Constitution-free zone,” and that companies that want to collect student data must first get explicit permission. Over the past two years, 32 states have enacted some sort of data-privacy law, according to the Data Quality Campaign. Some of those laws have been sweeping, such as California’s Student Online Personal Information Privacy Act, which has drawn particular praise from privacy advocates. Other laws are much weaker, experts say. To work around a lack of movement at the federal level over data-privacy protections for students, the activists and lawmakers working with the two organizations are calculating that if they get enough states to adopt a stricter slate of privacy expectations for vendors, companies will have little choice but to raise their standards to a level nationally that would allow them to work in any state. Tthe proposed legislation focuses on stepping up safeguards in four specific areas:

  • Parental or student consent to release student data for noneducational purposes or to third parties;
  • Limits on information that can be gleaned from computing devices loaned to students;
  • Protections from warrantless searches of students on campus; and
  • Restrictions on access to student postings that are behind privacy settings on social media.

The model legislation also calls for professional development to help teachers familiarize themselves with basic student-data-privacy concepts. The Future of Privacy Forum — a Washington-based think tank and a co-author of the Student Privacy Pledge, a commitment by ed-tech companies to safeguard data — offered a measured endorsement of the provisions in the ACLU’s model bill. [Source] See also: [Senate Bill 2171 – Student Privacy in Take-Home Technology Programs – State of Rhode Island General Assembly]

US – ACLU publishes updated privacy guide

The ACLU of Southern California announced its publication of the third edition of “Privacy and Free Speech: It’s Good for Business,” the organization reports on its website. The guide includes “more than 100 case studies and cutting-edge recommendations on everything from privacy policies to security planning to community speech standards,” the report states. “By following some pretty simple steps to incorporate privacy and free speech protections into products, businesses can make their services user friendly and avoid costly mistakes,” the report continues. “As the primer illustrates, doing so is not just good on principle — it’s good for business, too.” The primer is available for free online. [ACLU]

Privacy Enhancing Technologies (PETs)

WW – Britain’s First Anonymous Search Engine

Oscobo is the only UK-based Privacy Search Engine that does not track or store users’ data. The company was founded on the belief that personal data should remain just that, personal, and has set out to turn the tables to favour the Internet user instead of serving interests of big companies. This article will highlight the importance of understanding how user data is being tracked and used by search engines, and how using an anonymous option has clear benefits. [Source]

Security

EU – NIS Directive Establishes First EU-Wide Cyber Security Rules

In December 2015 the EU institutions came to an agreement on the Network and Information Security Directive, establishing a set of EU-wide rules on cyber security for the first time; formal adoption of the Directive by the European Parliament and the Council of the EU is pending at the time of publication. For those businesses that fall under its scope, such as search engines and cloud computing providers, the advent of the NIS Directive will mean that incident handling and notification will take on a more serious role than previously, and numerous security obligations will need to be satisfied. [FieldFisher Privacy Law Blog]

WW – Firms Feel More Confident In Ability to Thwart Data Breaches: Study

A majority of organizations believe they will be more secure against data breaches in 2016, despite the fact that nearly three-quarters of organizations experienced a security threat last year. Why the seeming disconnect? A growing number of organizations are investing in more advanced security solutions and are ramping-up end user training around data security best practices. Those are among the findings of the recent study “Battling the Big Hack“ from Spiceworks, which looked at IT professionals’ perceptions of the biggest IT security threats and the steps they’re taking to prevent security incidents and breaches within their organizations. The study found that while 80% of organizations experienced a security incident in 2015, 71% of IT professionals expect their organizations to be more secure in 2016. There is also good news in the study. “In order to protect end users from breaches on various devices in the workplace, 73% of IT professionals are enforcing end-user security policies and 72% are regularly educating their employees through lessons on topics such as ‘how to avoid malware’ and ‘how to spot phishing scams,’ the study noted. [Source]

WW – Infosec Pros Still Pressured to Release Unsecure Projects: Survey

Despite an increase in the number of data breaches last year infosec pros say they continue to be pressured by the business side to release projects that aren’t fully secure, according to an international survey. The survey, paid for by Trustwave, showed that 77% cent of respondents in five countries — and 7% of Canadians — felt either frequent or periodic pressure to roll out IT projects that weren’t security ready. The good news is that the majority agreed it was once or twice rather than frequently. However, if a bug slips by that could be once too many. Released this week, the survey questioned 1,414 in-house information security professionals from around the world including 210 from Canada. Others were in the U.S., Britain, Australia and Singapore. [IT World Canada]

WW – Removing Administrator Rights Mitigates Most Windows Vulnerabilities

According to a recent report, 85% of critical vulnerabilities in Windows last year could have been mitigated by eliminating administrator rights. Nearly all critical flaws affecting Internet Explorer (IE) could have been mitigated with the same action. [ZDNet] See also: [2009 report states that 92% of critical vulnerabilities would be mitigating by reducing the privileges for users on their systems] and [this guide from the NSA in 2013 also recommends reducing the use of local admin accounts. The use of local admin accounts is a prime example of how ease of use wins out over security. Microsoft has published some guides on how to manage this issue. [TechNet] [Technet]

US – DHS, FBI Employee Data Exposed

Someone posted personal information that seems to cover more than 9,000 US Department of Homeland Security (DHS) employees and 20,000 FBI employees online. The self-proclaimed attacker said that the information was taken from a Department of Justice (DOJ) computer using a compromised DOJ email account. [CNET] [DarkReading] [The Hill] [The Hill] [ComputerWorld] [vice.com]

Smart Cars

EU – European Multi-Stakeholder Group Releases Connected Vehicles Report

In December 2015, a multi-stakeholder group called “C – ITS Working Group 6” created in the context of the ITS and eCall working groups published a report on the possible ways that access might be granted to the data generated by connected cars. European Regulation 758/2015 requires the development of an “interoperable, standardized, secure, open-access platform” for the sharing of data. Originally, the work regarding the data sharing platform was related to the eCall directive, which requires cars to be equipped with communication devices that automatically communicate with emergency services in the event of a serious accident. However, Regulation 758/2015 mandates interoperable, standardized, secure, and open access platforms in the broader context of connected car data, including access to telematics data. [Source]

Surveillance

US – Dstillery Uses Iowa Caucus Data to Paint Voter Picture

In a Marketplace report, “data intelligence” and targeting ad firm Dstillery CEO Tom Phillips discusses how the organization employed data analysis technology to find correlating voter traits from participants in the Iowa caucus. “We watched each of the caucus locations for each party and we collected mobile device ID’s,” Phillips said. “It’s a combination of data from the phone and data from other digital devices.” The result? “NASCAR was the one outlier, for Trump and Clinton,” Phillips said. “In Clinton’s counties, NASCAR way over-indexed.” While Dstillery has only taken a look at Iowa voters, it “anticipates compiling voter data in other primaries” depending on candidate interest, the report states. [Source]

US Government Programs

US – White House Plots Privacy Updates for 2016

Marc Groman, who advises the White House on privacy issues, is focusing on delivering fundamental changes to privacy policy in government operations, including IT, in the next 11 months before President Barack Obama leaves office. “Privacy is not a subset of cybersecurity or IT,” said Groman, senior adviser for privacy at the Office of Management and Budget, during a Department of Homeland Security Data Privacy and Integrity Advisory Committee presentation on Feb. 8. “It has to move with those, but it needs its own council.” He was referring to the Federal Privacy Council, which was announced in December 2015 by OMB Director Shaun Donovan. It will be modeled on the CIO Council and will seek to bolster privacy best practices and operations in the federal government. The council will also try to capitalize on individual agencies’ advances in privacy policy, transform those strategies from reactive to proactive and “professionalize” privacy roles in the federal government, Groman said. “We want to shift from an environment of one-time compliance to one of ongoing risk-based” management that incorporates continuous reevaluation of privacy plans, he added. [FCW]

US Legislation

US – Senate Passes Privacy Bill Key to Two International Agreements

The Judicial Redress Act, which gives EU citizens the right to challenge misuse of their personal data in U.S. court has long been a stated requirement of the umbrella agreement, which would allow the U.S. and EU to exchange more data during criminal and terrorism investigations. Its role in the final approval of so-called Privacy Shield, struck last week, is murkier. The deal replaces a 2000 agreement that permitted some 4,400 U.S. firms to legally handle European citizens’ data, struck down by the EU high court in October over privacy concerns. The bill is also a prerequisite of a law enforcement data-sharing “umbrella” agreement reached last fall. [The Hill] See also: [Judicial Redress Act Would Extend Privacy Act Remedies to Citizens of Designated Foreign Nations] [Senate, House OK Judicial Redress Act, send to Obama to sign] [Laws to give EU citizens right of redress in the US over data handling move closer]

+++

 

 

01-07 February 2016

Biometrics

EU – Revised Edition of Biometric Privacy Guidelines Now Available*

The Biometrics Institute has completed revisions on its Biometrics Privacy Guidelines, Biometric Update reports. The guide is a document comprising 16 principles that assist users “across many different countries and jurisdictions,” considering that “biometrics and information technologies do connect beyond national boundaries and across different fields as diverse as health records, border controls, retail, consumer based applications in the telecommunications industry, finance and banking and driver’s licenses,” the report states. “It is the public’s assurance that the biometric managers have followed best practice privacy principles when designing, implementing and managing biometric based projects,” said Biometrics Institute CEO Isabelle Moeller on the guide’s update. The resource is only available to Biometrics Institute members. [Biometric Update] [Biometrics Institute Issues Privacy Guidelines] * To Biometric Institute Members only

WW – New App Employs Selfies to Help Users Find Pictures of Themselves

Waldo, a free app hitting iPhones this spring, utilizes a selfie and location data to find other pictures of the user that have been uploaded to the service. It primarily scours public events, like concerts, for pictures of users, alerting them when it finds their photo elsewhere. The technology has already garnered comparisons to Facebook’s Moments app. However, Waldo’s CEO maintains that the app is aimed toward simplifying a user’s social media experience. “We’re going to make it really painless to get those so you’re not constantly nagging and saying, ‘Hey, will you text me that photo from that party the other night?’“ [MIT Technology Review]

Canada

CA – Ontario Court Expands Scope of Privacy Tort to Include ‘Revenge Porn’

A recent ruling that found a man financially liable for posting a private sex tape of a former girlfriend online is being hailed as a case that is the first of its kind in Canada. Experts are calling the decision a win, which makes sense given we live in an age where there is a rapidly climbing sensitivity to victimization of all kinds, particularly in social media. “Personal and private communications and the private sharing of intimate details of person’s lives remain essential activities of human existence and day to day living. To permit someone who has been confidentially entrusted with such details — and in particular intimate images — to intentionally reveal them to the world via the Internet, without legal recourse, would be to leave a gap in our system of remedies,” said the ruling. “I therefore would hold that such a remedy should be available in appropriate cases.” [Source]

CA – Tax Agency Staffer Gone After Taxpayer Data Leaks to CSIS

No one’s saying much about what happened and who’s been held accountable for several breaches of taxpayer privacy at the Canada Revenue Agency. The privacy breaches came to light last week in the annual report of the watchdog for CSIS, Canada’s spy agency. The report described how intelligence officers, repeatedly and without a warrant, improperly obtained taxpayers’ information. Canada Revenue Agency has confirmed that an employee implicated in a leak of taxpayer information to CSIS is no longer with the tax agency. When CRA was asked what happened on its side, and whether anyone has been fired or disciplined, a spokesman responded, “The employee is no longer with the agency (…) For more information about the incident, please contact CSIS.” A follow-up question about whether the former employee had taken the well-worn path of resigning or retiring before being fired, prompted a politely worded response from Brideau that the agency won’t be able to provide such details. The public may learn more if Canada’s Privacy Commissioner decides to investigate. [Source] [CRA doesn’t even know what taxpayer information it shared improperly with spy agency]

Consumer

US – How You Handle Data Privacy, Security Is Key to Customer Loyalty

How your organization handles issues related to data privacy and data security will have an enormous impact on the willingness of consumers to do business with you. That is one of the key findings of a new study by New York-based Morrison & Foerster. The firm has just released the results of its latest consumer survey on privacy. The survey, “Morrison & Foerster Insights: Consumer Outlooks on Privacy,” examines the attitudes and concerns that U.S. consumers across the country have regarding multiple privacy-related issues, such as the disclosure of personal information, data breaches, and privacy policies. The study results offer some important lessons for IT and data professionals. “The findings indicate that a significant percentage of the American people continue to be concerned about numerous facets of security.” [Source] [MoFo]

Encryption

UK – Communication Providers Should Not Have to Decrypt Messages: MPs

The UK Science and Technology Committee, which has assessed the technical feasibility of the draft Investigatory Powers Bill, said, though, that the new laws should allow intelligence agencies to request that communication providers decrypt data they have encrypted “in tightly prescribed circumstances”. New UK surveillance laws should not impose obligations on communication providers to decrypt messages sent over their networks if they have not added the encryption to those messages, a committee of MPs has said. Giving evidence in December to another parliamentary committee that is scrutinising the Bill, Vodafone raised concern about provisions of the draft laws that would force communication network operators to decrypt communications sent over their networks via other communication services, like Skype and WhatsApp, if requested to do so. In its report, the Science and Technology Committee said that there is a lack of clarity in the current draft of the Bill with how some terms are defined as well as over “the extent to which ‘internet connection records’ (ICRs) will have to be collected” by communication providers. [Source]

EU Developments

EU – The “Privacy Shield” Faces an Uphill Battle

This week, European VP Andrus Ansip and Commissioner Vera Jourová announced that the EU Commission had approved a political agreement on what will henceforth be known as the “EU-US Privacy Shield.” Over the coming weeks they will have to draft a fresh EU Commission adequacy decision to replace the previous “Safe Harbor” decision, which the Court of Justice of the European Union found invalid in Schrems. There is already speculation that the validity of this new decision will itself be challenged in the CJEU; as much is clear from discussions in the European Parliament the night before. So Ansip and Jourová will need to draft as robust a decision as they can, if that decision is to withstand review by the CJEU. [IAPP] [How sturdy is the Privacy Shield?] [FTC, DoC answer Privacy Shield questions] [EU DPAs respond to Privacy Shield; BCRs are a go, for now] [EU-US Privacy Shield scrutinized in Article 29 Working Party initial response] [Deal on EU-US Privacy Shield leads EU watchdogs to extend moratorium on data transfers enforcement action] [EU-US Data Transfers Won’t Be Blocked While Privacy Shield Details Are Hammered Out, Says WP29] [Privacy Shield mauled by European tech suppliers but successor to Safe Harbour agreement cheered by US firms] [FTC Commissioner Julie Brill comments on EU-US Privacy Shield] [What businesses need to know about Privacy Shield] [The EU-US Privacy Shield. Not quite there yet!]

UK – Investigatory Powers Bill Loopholes Will Lead to Unbridled Surveillance

The House of Commons Science and Tech Committee has published its report on the draft Investigatory Powers Bill, influenced by comments submitted by 50 individuals, companies, and organizations. The report is the first of three investigations by different Parliamentary committees. While it was intended to concentrate on the technological and business ramifications of the bill, their conclusions reflect the key concern of lawmakers, companies, and human rights groups about the bill’s dangerously vague wording. The Investigatory Powers Bill, as written, is so vague as to permit a vast range of surveillance actions, with profoundly insufficient oversight or insight into what Britain’s intelligence, military and police intend to do with their powers. It is, in effect, a carefully-crafted loophole wide enough to drive all of existing mass surveillance practice through. Or, in the words of Richard Clayton, Director of the Cambridge Cloud Cybercrime Centre at the University of Cambridge, in his submissions to the committee: “the present bill forbids almost nothing … and hides radical new capabilities behind pages of obscuring detail.” The series of successful challenges in the UK and EU against previous surveillance law and practice shows that vague and unbounded language cannot survive a serious challenge in the courts. If the UK government wants its surveillance rules to stand the test of time, it needs to build them on a firm foundation of clarity, necessity, and proportionality. [Source]

EU – Companies Subject to Multiple EU Data Protection Regimes: Watchdog

Companies that are operational in multiple EU countries can be forced to comply with each of the different national data protection laws that apply in the countries in which they operate, according to new guidance. The Working Party’s guidance also explained how EU data protection laws can apply to non-EU based companies, even if they process personal data outside of the EU. In this context the guidance expands on a 2014 case involving internet giant Google in which the CJEU ruled that Google was subject to Spanish data protection laws despite the company not processing any personal data in the country. The CJEU assessed the fact that Google had a Spanish subsidiary based in Madrid that promoted and sold advertising space for its search service when arriving at its decision. [Out-Law]

Health / Medical

US – Obama: ID Theft Victims Should Have Access to Thieves’ Medical Records

The Obama administration says those who’ve had their identities stolen have the right to review and correct their medical records and also have the right to look at the medical records of those who stole their records. To date, it’s been difficult at times for victims of ID theft to correct their records because they haven’t been able to access the thieves’ medical data because of health care privacy laws. The Senate Health, Education, Labor and Pensions Committee has been looking at ways to help victims of medical identity theft, and the Obama administration — recently criticized by Republicans for not doing enough on the issue — outlined the policy in a letter to the committee. [Wall Street Journal] [FierceHealthIT]

ON – Hospital Improperly Refused to Disclose PHI Because They Consist of Mental Illness Records: IPC ON

This IPC decision reviews the Halton Healthcare Services’ handling of a request for disclosure of health information pursuant to the Personal Health Information and Protection Act. The hospital, which must re-exercise its discretion, relied on irrelevant considerations in deciding against disclosure, such as the fact that there was an the absence of “specimens” and the records are about mental illness; some mental illnesses seem to run in families and it is possible that the PHI may be relevant to health care decisions by family members. [IPC ON – PHIPA Decision 21 – Halton Healthcare Services]

CA – OIPC BC Determines Public Body Did Not Follow Privacy Policies

The BC Office of the Information and Privacy Commissioner investigated the Ministry of Education for failure to protect personal information in its custody. A hard drive containing student personal information (i.e. names, dates of birth, gender, financial aid data, special needs, health and behaviour issues and personal education numbers) went missing; the Ministry should conduct mandatory training with periodic refresher courses, maintain an accurate inventory of personal information assets and store mobile storage devices in a government-approved facility. [OIPC BC – Investigation Report F16-01 – Ministry of Education] See also: [Privacy breach in B.C. points to need for policies in Yukon: commissioner]

UK – Health Care Breaches on the Rise

Healthcare is responsible for more data breaches than any other UK sector, and the number of cases is rising fast. There were 734 instances in 2014, and year-on-year numbers doubled from April-June 2013 to the same quarter the following year. UK trends could be set to follow those of the United States, where 91% of healthcare organisations have suffered at least one data breach in the past 2 years, and 40% have suffered more than 5 incidents. More importantly, mistakes and negligence are no longer the principle cause: criminal attacks on the healthcare sector have increased by 125% since 2010. Hackers can also steal far more information than is usually lost in error: the recent attack on Excellus is believed to have involved up to 10 million individual records. [Source]

Horror Stories

US – Health Insurer Loses Hard Drives with 950,000 Medical Records

Health insurer Centene Corp. is hunting for six computer hard drives containing the PHI records of about 950,000 individuals, the company said Monday afternoon. The drives were being used in a data project that sought to utilize lab test results to improve members’ health outcomes. The records on the missing drives include individuals’ names, dates of birth, Social Security numbers, member ID numbers and unspecified “health information.” [Source]

Identity Issues

CA – BCCLA Raises Privacy Concerns Over Compass Card Tracking

The BC Civil Liberties Association is warning the public about a possibility of a privacy breach for people using Compass Cards. BCCLA claims it is possible to track travel history by simply obtaining a person’s Compass Card. The BCCLA says they are concerned about abusive partners, stalkers or police abusing the system to track someone’s movement. The BCCLA is recommending people pay cash for the card or use cash to buy single-use Compass tickets if they want to make sure their name is not linked to a travel itinerary.[Source]

Internet / WWW

WW – The Case for Ethical Standards in (Big Data) Analytics

A paper by Carnegie Mellon researchers raised a red flag about the analytics behind Google job search ads, revealing that Google’s analytical modeling serves ads for a career coaching service for higher-paying jobs to men more frequently than it does to women. Other research and publications have also pointedly raised concerns and risks regarding the perils associated with breaches or questionable use of data. [Source] [“Automated Experiments on Ad Privacy Settings“]

Law Enforcement

US – EFF and ACLU Say Milwaukee Police Used Stingray Without a Warrant

The Electronic Frontier Foundation (EFF) and the American Civil Liberties Union (ACLU) have filed an amicus brief in the US Court of Appeals for the Seventh Circuit, alleging that the Milwaukee, Wisconsin police department used a stringray without first obtaining a warrant. [SCMagazine]

US – Berkeley Students File ECPA Suit Against Google

Four U.C. Berkeley students and an alumni have filed a lawsuit against Google accusing it of targeting U.C. Berkeley emails for data mining between 2012 and 2014. The suit follows complaints in 2014 that Google was scanning emails in “Apps for Education,” when nine plaintiffs accused the company of collecting their information for advertising without their consent. In this most recent suit, the plaintiffs say Google’s alleged email scanning violated the Electronic Communications Privacy Act. They say a 2014 post by Google acknowledging it had scanned Apps for Education emails is proof. Google said it doesn’t comment on pending litigation. [The Daily Californian] [Class Action lawsuit webpage] [U of Big Brother? ]

Online Privacy

WW – Extension Allows Users to Block Ads and Avoid Online Tracking

A new Firefox extension called Decentraleyes is aimed at helping users block ads and avoid being tracked online. The tool is free and available for Firefox users. It allows for the loading of content delivery networks with direct access to them, meaning users aren’t tracked once they’ve visited a site. While many sites “chose to host critical libraries on external services, like Google Hosted Libraries, to improve load times and ensure they don’t go down,” doing so “provides another avenue for companies to track the sites you visit.” Decentraleyes stores commonly used files locally “instead of from remote sources” to circumvent that problem. [The Next Web] See also: [Privacy Badger]

WW – Service Creates Ad-Blocker Workaround

Softpedia reports on a new service aimed at “helping online publishers counteract users that employ ad-blocking browser extensions when accessing their sites.” BlockBypass was developed by BlockIQ and responds to the proliferation and usage of ad-blocking extensions, which, according to one study, went up 41% in 2015 compared to the year prior. The trend led to a loss of $21.8 billion in ad revenue. The BlockBypass technology “would allow publishers to hide the location of the ad server from where the ad is being downloaded,” and will sit between the user and the ad server. [Softpedia]

Privacy (US)

US – Where do US Presidential Candidates Stand on Privacy and Surveillance?

Through the various debates and out on the campaign trail, the U.S. presidential election has begun to feature topics of privacy and cybersecurity. Sophos’ Naked Security blog rounds up each candidate’s stance in neat fashion. Republican Ted Cruz, who topped the recent Iowa caucuses, has publicly “opposed many politicians in his own party who were calling for expanded government surveillance powers.” Donald Trump, meanwhile, has called for “closing that Internet up” and said Americans “would be willing to give up some privacy in order to have more safety.” On the Democratic side, Hillary Clinton has “taken a hard line on NSA leaker Edward Snowden” and Bernie Sanders “voted against the USA PATRIOT Act in 2001 and 2006.” [NakedSecurity] See also: [Five senior U.S. administration officials, announced the National Background Investigations Bureau, which will conduct all background checks on federal employees and contractors going forward].

Privacy Enhancing Technologies (PETs)

WW – Google Expanding Safe Browsing in Chrome

Google’s safe browsing technology will now cover online advertisements that try to trick people into entering account access credentials or downloading malware that pretends to be a legitimate software update. If a site is deemed to be deceptive, Chrome will display a red screen and a text warning. [Source]

Smart Cars

EU – German DPA Issues Joint Declaration with Automotive Industry

The data protection authority in Germany issued a joint declaration with the Association of the Automotive Industry on the privacy aspects when using connected and non-connected vehicles. Organisations storing data collected from vehicles should inform individuals of how to exercise access rights and what measures will be taken if the database is lost or stolen; informed consent should be obtained when the vehicles are purchased and users should be able to change or reset settings on any user-entered information (i.e. navigation data and email or messaging contacts). [DPA Germany – Joint Declaration of the Conference of Independent DPAs of the Federal and State Governments and the Association of the Automotive Industry] (in German)

Surveillance

US – Felon’s Lifetime GPS Monitoring Upheld by US Federal Appeals Court

A federal appeals court is upholding lifetime GPS monitoring of a convicted felon, in this instance a Wisconsin pedophile who served time for sexually assaulting a boy and a girl. The court upheld the constitutionality of a Wisconsin law that, beginning in 2008, requires convicted pedophiles to wear GPS ankle devices for the rest of their lives. A federal judge had sided with the offender. Wisconsin appealed to the 7th US Circuit Court of Appeals, which ruled in the state’s favor and derided the lower court’s ruling as “absurd.” Among other things, Belleau said the GPS device violated his privacy because he had served his time and was not on post-prison supervision. The three-judge appeals court did not agree. The court’s reasoning, however, could apply to other criminals who have a propensity to reoffend. The court said that the burden on privacy “must in any event be balanced against the gain to society from requiring that the anklet monitor be worn. It is because of the need for such balancing that persons convicted of crimes, especially very serious crimes such as sexual offenses against minors, and especially very serious crimes that have high rates of recidivism such as sex crimes, have a diminished reasonable constitutionally protected expectation of privacy.” [Ars Technica]

WW – Fitness Trackers Put Users’ Health Data at Risk, Study Suggests

A recent study out of the University of Toronto suggests that wearable devices are full of security holes. The study, conducted by digital research group Open Effect and U of T’s Citizen Lab, found that many of the most popular devices leak information and are vulnerable to manipulation of recorded data. The devices, which can track everything from heart rate to quality of sleep, collect fitness data that wearers use to keep track of their health goals. These trackers aren’t just for the health conscious: lawyers and insurance companies have used data to verify users’ fitness. But while the devices collect an enormous amount of personal health information, key security flaws make it easy to tamper with the data, the study found. Only the Apple Watch received a clean bill of health from researchers because it connected to other tech, such as cellphones, anonymously. [Source]

WW – Berlin Group Issue Recommendations on with Intelligent Video Analytics

The International Working Group on Data Protection in Telecommunications (the “Berlin Group”) issues a working paper on intelligent video analytics technologies by both private and public sector. Privacy implications include a chilling effect, interference with fundamental rights, and lack of public awareness of collection practices; recommendations include respect for the principle of lawfulness and fairness through adequate transparency mechanisms (e.g. use a layered notice), and the principle of proportionality (e.g. apply data minimization practices). [Working Paper on Intelligent Video Analytics]

UK Privacy Watchdog Warns Consumers That Shops Can Track Them

The UK’s privacy watchdog has warned that facial recognition software and handset identifiers broadcasted via Wi-Fi are allowing UK retailers to track and target customers through their smartphones. “This technology, which is starting to be rolled out in shops, allows retailers to use the customer journey to build up a picture as to how people typically use the store. It uses the MAC address of a smartphone which can, in many cases, be linked to a specific individual,” says Simon Rice, group manager for technology at the UK ICO. The technology has also been implemented in airports, transport hubs and using city-wide Wi-Fi networks. The ICO warns that smart CCTV systems and facial recognition cameras are capable of identifying individuals, and similar technology is used on the internet to target adverts at uses based on their behaviour instead of their faces. [Out-Law]

WW – Retailers Urged to Notify Customers of Mobile Tracking

Retailers have been urged to create a standard symbol, similar to the one used to denote the use of CCTV, to inform customers that their location within shopping areas is being tracked through their mobile device. The recommendation was contained in a new working paper that has been issued by an international working group on data protection in telecommunications on the topic of location tracking from communications of mobile devices. The working group’s paper said retailers should not “seek to collect and monitor outside their premises” and can avoid doing so “through careful placement of receivers, limiting data collection through a sampling method and to specified time periods or times of day.” [Out-Law]

US – At Berkeley, A New Digital Privacy Protest

After hackers breached the computer network of the U.C.L.A. medical center last summer, Janet Napolitano, president of the University of California, and her office moved to shore up security across the university system’s 10 campuses. Under a program initiated by Ms. Napolitano, the former secretary of Homeland Security in the Obama administration, the university system began installing hardware and software in its data centers that would monitor patterns of digital traffic, like what websites are being visited by faculty and students, or telltale signs of cyber intruders. The program, which was begun with little notice or consultation, soon rankled a group of professors at one campus, Berkeley, which has a deep-seated ethos of academic freedom as the cradle of the free speech movement in the 1960s. The faculty group of 11 professors critical of the monitoring program said the university system enacted the program largely in private, with little transparency about what data is being collected. The monitoring could compromise and constrain academic freedom to research topics that some find objectionable, among other repercussions, they said. In a formal meeting with the University of California’s chief information officer in December, the professors asked for the program to be halted. [New York Times]

Telecom / TV

US – Judge Says You Have No Expectation of Privacy When Using Tor

Last week, a federal judge in Washington state issued a baffling opinion suggesting that you don’t have a reasonable expectation of privacy when using Tor, the widely-used anonymity software literally designed to give its users privacy. The judge bizarrely argued that Tor doesn’t give its users complete anonymity because a user has to give their IP address to their ISP to connect to the Tor network. Therefore, he concluded, Michaud’s IP address was “public information, like an unlisted telephone number” that “eventually could have been discovered.” This makes no sense to anyone with a basic understanding of how Tor works. [Source]

Workplace Privacy

CA – Ontario Tribunal Grants Employer Access to Employee Health Information

The Toronto Transit Commission requested that the Human Rights Tribunal of Ontario grant access to an employee’s personal health information. The Order permits the employer to access and disclose the employee’s information in its occupational health file, to meaningfully respond to allegations of discrimination; access and disclosure is granted to the employer’s advisors, individuals giving instructions to counsel, and potential witnesses. [Scott Coutts v. Toronto Transit Commission and Amalgamated Transit Union Local 113 – 2016 HRTO 7 – CanLII – Human Rights Tribunal of Ontario] See also: [European Court of Human Rights Decides that Accessing an Employee’s Work IM Account Did Not Breach His Privacy Rights]

+++

 

16-31 January 2016

 

Biometrics

US – Facial Recognition Systems Coming to All American Airports

After a favorable test run at the Washington Dulles International Airport in 2015, the Department of Homeland Security announced that it would be implementing facial recognition technology in all American airports of entry for foreign visitors and U.S. citizens. The “incremental” implementation will begin at the John F. Kennedy International Airport in New York City by the end of the month. While the DHS’s privacy impact assessment says the system won’t store the photos if “they do not result in an enforcement or administrative action,” privacy advocates such as the ACLU argue that this could be the first small step toward increased surveillance. [Fedscoop]

Big Data

WW – Big Data Report Roundup

The past two years have brought continuous policy discussion around the benefits and challenges that accompany this growing use of big data analytics. The White House and the FTC released reports on big data and data brokers in early 2014. Since then, policymakers and wonks of all stripes have weighed in on the subject, frequently highlighting one of the most contentious topics raised by these studies: how to ensure that the increase in automated decision-making does not result in unfair, unethical, or discriminatory effects for consumers. Early in these conversations, a coalition led by the Leadership Conference for Civil Rights released a set of civil rights principles for the era of big data that established broad guidelines for how to avoid having a discriminatory impact with the use of big data. Washington white papers naturally followed; the Future of Privacy Forum partnered with the Anti-Defamation league to produce a report on using big data to fight discrimination and empower groups; Upturn wrote a report on the intersection of big data and civil rights; the President’s Council of Economic Advisors wrote about differential pricing; and the White House has promised a report on the implications for big data technologies for civil rights. Several groups convened on the topic, including an FTC workshop, which resulted in an eventual report around the use of big data for inclusion and exclusion.

WW – Poll Finds Dismal European Big Data Attitudes

A new study conducted for Vodafone’s Institute for Society and Communications found that of 8,000 respondents, “just under a third” felt there were significant advantages to the big data, while “barely more than a quarter” trusted companies to respect their privacy and their data. The findings were an “indictment of current European data protection practices.” [Fortune] See also: [No new ‘competition rulebook’ necessary for big data age, says EU commissioner] and also [The Imperative for Ethical Standards in Analytics]

Canada

CA – Privacy Commissioners Issue Joint Resolution on Information Sharing

Canada’s Information and Privacy Commissioners issue a joint resolution to all levels of government relating to information sharing initiatives. All levels of government are urged to be open and transparent about the implementation of information sharing initiatives including what information will be collected, shared and disclosed; processes should be in place for individuals to request and correct their personal information, for staff to have regular and on-going training on relevant policies and procedures and for use of privacy impact assessments before implementation of these initiatives. [OPC Canada – Protecting and Promoting Canadians Privacy and Access Rights in Information Sharing Initiatives] [Press Release] [Resolution] [priv.gc.ca] [Parliament Should be Wary of Warrantless Access – Privacy Commission – Toronto Star]

CA – Canada’s Spy Agencies Broke Surveillance Laws, Watchdogs Reveal

A new report reveals that the Communications Security Establishment (CSE) has unlawfully shared data with foreign allies, while a report on the CSIS made public on the same day said CSIS has been neglecting to tell judges who authorize surveillance operations they are retaining elements of communications intercepts they are ordered to destroy. The reports from the watchdogs for CSE and CSIS centred on “metadata,” or the intercepted telecommunications trails reflected in phone logs and Internet protocol (IP) exchanges. Collecting and sharing such material can vastly expand intelligence-gathering operations. The legal issues this raises have been quietly debated over the past 15 years within Canada’s intelligence bureaucracy, but not in open courts or Parliament. [Globe&Mail] See also: [Watchdogs report lapses in CSIS, CSE intelligence practices] [CSIS Repeatedly Accessed CRA Taxpayer Info Without a Warrant] and [Think the Liberals will rein in the spy services? Don’t bet money on it] [Yahoo News: CSE Shut Down Data-Sharing, Post-Breach] [Canada’s Electronic Spy Agency Broke Privacy Law by Sharing Info: Watchdog]

CA – BC Privacy Breach a Failure of ‘Executive Leadership’

B.C. Information and Privacy Commissioner Elizabeth Denham said the Ministry of Education underestimated the potential fallout from misplacing a hard drive containing information about some 3.4 million school students. This week, Denham issued a report on the data breach finding that several B.C. education department workers contravened a series of security policy directives and protocols by transferring information from the ministry server onto mobile hard drives, one of which was then lost. Yukon Information and Privacy Commissioner McLeod-McKay, reacting to the B.C. report, said it’s clear that having good policies and procedures in place isn’t enough, there must also be good training and auditing of whether or not the policies are effective. [Source] [Yukon Privacy Commissioner in the Dark About Territory’s Response to Data Breach]

CA – Police Inspection of Laptop Infringed Charter: Ontario Court

Tyler Mayo filed a motion to suppress evidence alleging a violation of his Charter of Rights and Freedoms during a search and seizure. The search of a suspicious laptop (potentially containing child pornography) infringed the Charter when the police opened one of the computer files with a suspicious name, viewed its contents and attempted to open a second file (the police should have allowed the computer technician to return to the directory where the suspicious file names could be in plain view); the infringement was modest (the police conducted only a limited search of the computer relinquished to a computer store, and a warrant for a further search was obtained). [R v Mayo – 2016 INSC 125 – Can LII]

CA – Police Search of Computer Overly Broad: Alberta Court

The Court of the Queen’s Bench in Alberta considers whether search warrants complied with section 487 of the Criminal Code and section 8 of the Canadian Charter of Rights and Freedoms. Police failed to apply a date filter to the contents of the computer and storage devices being searched; exporting a decade of personal information (e.g. emails sent and received, photos, videos, complete internet browsing history and Skype exchanges) accumulated and deleted from the devices was not justified since a mirror image of the website (that the search warrant pertained to) was already secured and a number of videos on the website were already accessed. [HMQ v Mark Marek – 2016 ABQB 18 – Court of Queens Bench of Alberta]

CA – Another New Privacy Tort for Ontario

Last week saw a striking decision issued by the Ontario Superior Court of Justice. 2102 saw the tort of “intrusion upon seclusion” recognized; in 2016, we now have the tort of “public disclosure of private facts”. Unlike the 2012 decision, this one came with a large damage award. Conduct characterized as “revenge porn” clearly fits within the elements of this tort. Mr. Justice Stinson, having found that not one but two torts had been committed, could have stopped there. However, in concluding as he did, he recognized a new cause of action in Ontario: “public disclosure of private facts”. Mr. Justice Stinson modified the test articulated by Prosser, reflecting modern communication technology, to say “…if the matter publicized or the act of publication…” [Source] See also: [Experts praise court decision against man for posting explicit video of ex-girlfriend]

CA – Privacy Commissioner Launches Online Privacy Tool for Families

To mark international data privacy day, the Office of the Privacy Commissioner of Canada has launched “House Rules“—a new interactive tool for families aimed at helping parents manage the online risks facing their children. Parents are invited to use the tool to assess how their children interact online through games, mobile applications and social networking sites as a means of starting a dialogue on safe and responsible surfing. The tool offers simple tips parents and children can customize into their very own “House Rules” that can be printed off and posted in a common area as a reminder of how to protect privacy online. The Office of the Privacy Commissioner of Canada is also unveiling a new tip sheet for individuals to help all Canadians become more familiar with the basics of privacy protection. [Source]

Consumer

US – Americans Express “Loss of Control” Over Their Data: Study

A study on American privacy perspectives found that 91% of Americans feel as though they’ve “lost control” over their data, with 86% taking steps to protect their information online and 47% still unsure about the breadth of the data that’s being collected about them, the organization reports. “Americans express a consistent lack of confidence about the security of everyday communication channels and the organizations that control them — particularly when it comes to the use of online tools, and they exhibited a deep lack of faith in organizations of all kinds, public or private, in protecting the personal information they collect.” Attitudes about surveillance, however, are split, with 52% expressing high levels of concern about the practice, while 46% identified as “not very concerned.” [PEW Research]

US – More Americans Worried About Privacy than Income Loss: Report

A new report from the TRUSTe/National Cyber Security Alliance Consumer Privacy Index indicates more Americans are worried about their data privacy than losing their main source of income. The study indicates concerns over online privacy beat worries about income loss by 11%. The study also found that 56% of Americans say they “trust businesses with their personal information online,” the report states. “If you ask, ‘what does privacy mean for you?’ you’ll find that privacy is an individual thing, and it is different for every person.” [CBS News]

WW – Password List Illustrates User Annoyance and Tech Dead End

SplashData’s annual list of most common passwords found that, once again, “123456” is America’s most beloved digital key. However, this comical collection highlights both user frustration with password use and the technological sector’s current quest to replace it with something more sophisticated. Fingerprint authentication is one future avenue, but critics argue that the commonality of our fingerprints makes them easy to lift and nefariously employ. [The Washington Post]

WW – Study: Bitcoin Users Trust the Currency’s Promise of Privacy Too Much

A new bitcoin study conducted by Rutgers University found that bitcoin users overestimate its provision of anonymity. Bitcoin “transactions are recorded in a public ledger and are traceable with some effort.” “The users in the study trust the security and privacy mechanisms of Bitcoin more than they actually should.” The currency’s increased privacy, however, could give it an edge over physical money in the future. “What I personally like [about bitcoin use] is the anonymity,” said a study author. “You can’t track at all what I’m buying from the supermarket if I don’t use a loyalty card with my purchases when I pay in cash.” [Rutgers]

E-Government

CA – Supreme Court Gears to Battle Ottawa Over IT Rules

The country’s highest court is ready to launch a legal battle with the federal government over new IT rules, which the Supreme Court of Canada fears would threaten its independence. The Supreme Court is not alone in these concerns: the Federal Court, Federal Court of Appeal, Court Martial Appeal Court and Tax Court are all prepared to launch a constitutional challenge against having the government’s super-IT department involved in their digital affairs. The federal Liberals are now left to decide how to handle an issue created by a decision of the previous Conservative government that came into effect during the federal election. That decision forced the courts to go through Shared Services Canada for all IT purchases, such as servers, routers and software, rather than letting them make the procurements on their own. The courts had that power until Sept. 1, when the new rules kicked in and made them a “mandatory client” of Shared Services Canada, which oversees purchases and digital services for 43 of the heaviest IT users in the federal government. The move approved by the Conservative cabinet in May 2015 was supposed to save money, since Shared Services Canada buys in bulk, and improve digital security, because it buys from safe suppliers. [Toronto Star]

E-Mail

US – Yahoo Enters Into Settlement Agreement for Alleged Email Scanning and Extraction Practices

Yahoo accepts a settlement agreement for alleged e-mail scanning and extraction practices that violated the Stored Communications Act and California’s Invasion of Privacy Act. Yahoo must make technical changes so that all incoming and outgoing emails send to and from users in the US are analyzed for advertising purposes only after the user can access the email in their inbox or sent folder; modifications to its website include a paragraphs stating that all communications content is analyzed and stored, and that keywords, package tracking and product ID numbers are shared with third parties. [In Re Yahoo Mail Litigation – US District Court Northern District of California San Jose Division – Case No. 5-13-cv-04980-LHK] [Related News Article]

Electronic Records

US – Research Firms Team For Privacy Initiative

ESOMAR, an association for market research firms, announced on Data Privacy Day a new initiative by its members aimed at boosting “transparency and choice for online audience measurement research.” Headed up by comScore, GfK, Kantar, and Nielsen, the effort, dubbed Research Choices, will help consumers understand online data collection practices and facilitate access to different choice mechanisms across the Internet. Research firms interested in joining the effort must subscribe to the ESOMAR code of conduct, or equivalent ethical code. [IAPP Privacy Advisor]

US – Improper Employee Log-in Use Led to Californian Health Insurance Breach

21,000 Blue Shield of California members were affected by a breach catalyzed by “the misuse of Blue Shield customer service representatives’ log-in information.” While the company’s data systems were left unsullied, everything from Social Security numbers to addresses “could” have been exposed between September and December 2015, the company notified the affected. The company promised complimentary credit-tracking to victims. [FierceHealthPayer]

Encryption

US – California Bill Prohibits the Sale of Encrypted Smartphones

Assembly Bill 1681, amending existing state law and the Business and Professions Code to prohibit the sale of encrypted smartphones, is introduced. The bill requires that a smartphone manufactured on or after January 1, 2017, and sold or leased in California, must be capable of being decrypted and unlocked by its manufacturer or operating system provider; a $2,500 penalty will be imposed for non-compliance with the decryption requirement for each smartphone sold or leased. [Assembly Bill 1681 – An Act to add Section 22762 to the Business and Profession Code, Relating to Smartphones – California Assembly] See also: [BlackBerry says its encryption has not been “cracked” by police]

EU Developments

EU – Safe Harbor Deadline Passed: Agreement Reached

The deadline for the US and European Union negotiators to reach a new Safe Harbor data protection agreement satisfactory to both entities was January 31, 2016. The old arrangement was invalidated last fall after the EU Court of Justice found that it did not adequately protect the privacy of EU citizens. [The Hill] [ComputerWorld] [Ars Technica] The European Commission announced an agreement with the U.S. Department of Commerce to replace the invalidated Safe Harbor agreement on transatlantic data flows with a new EU-U.S. “Privacy Shield.” [Hogan Lovells: EU-U.S. Privacy Shield to Replace Safe Harbor]

WW – Law Firm Contends U.S., EU Privacy Protections Are Equal

According to Geoffrey Robertson QC, the October ECJ judgment that invalidated the “safe harbour” agreement was based on trusting news reports of revelations by Edward Snowden rather than a thorough investigation of US law. He added that the US had become more “privacy friendly” than Europe. He made the comments in an independent opinion commissioned by Facebook, which has been affected by the ECJ ruling. The social network is lobbying against the decision alongside other big technology groups. The barrister, who has represented WikiLeaks and media companies in free-speech cases, said: “It is intellectually dishonest at present to say we have any kind of protection in Europe against national security surveillance.” [FT.com] The Sidley report represents one of the most comprehensive rebuttals to suggestions that the European Court of Justice’s ruling in October on privacy opened an irreparable rupture for U.S. and EU commerce. The decision tossed out the widely used business data-transfer agreement on the grounds that Europeans’ privacy might not be adequately protected against U.S. national security surveillance. The Sidley Austin authors, based in the U.S. and EU, said that while the ECJ did invalidate the agreement, it did so because a test had not been done to establish equivalent privacy protections in the U.S., leaving the door open to a new agreement that is based on such a finding of equal privacy. [Source] [Take-up of cloud storage in Europe affected by privacy issues]

EU – Study Hints at How E-Privacy Directive Might be Reformed

The Commission wants to update the EU’s Privacy and Electronic Communications (e-Privacy) Directive and the recommendations made to it last summer suggest that wide-ranging changes are likely, including to rules on the use of cookies, direct digital marketing and on the processing of location data.

Telecoms bodies have called for the repeal of the e-Privacy regime, but the study suggests it will be expanded and will have an impact on many more businesses that communicate via digital channels than is currently the case. The Commission, which first outlined its intention to reform the e-Privacy Directive in 2014, has promised to consider the findings of the study. Proposals for reforms are scheduled to be instigated this year, with a consultation on the reforms likely to be opened in March, according to recent reports. [Out-Law]

EU – Independence of Data Protection Commissioner Questioned

The Irish High Court is being asked to make a referral to the EU’s highest court for a ruling on whether Ireland’s Data Protection Commissioner is truly independent under EU law. Legal papers served on the State and the Attorney General claim the State has acted in breach of EU law by failing to ensure the regulator exercises its role independently. The action is being taken by the privacy advocacy group Digital Rights Ireland (DRI), which took a successful case to the Court of Justice of the European Union in 2014 overturning the entire regime under which the telephone and internet data of over 500 million European citizens were retained for up to two years. The papers note that the office of the commissioner, Helen Dixon, is integrated with the Department of Justice and that the commissioner and all her office’s employees are civil servants. They also allege the commissioner has failed to act independently in policing databases of citizens created in recent years by both Irish Water and the Department of Education. The commissioner’s office is considered one of the most important regulatory roles in Europe because of the high number of multinational, data-rich firms based in Ireland, including Facebook, Apple and LinkedIn. It has come under repeated criticism from some EU sources for being “soft” on regulation, partly because of the number of jobs such firms support here. That allegation has been denied by the current commissioner and by her immediate predecessor Billy Hawkes. [Source]

Facts & Stats

US – Breach Costs Often Come Long After Incident Detection: Survey

According to a new study, the costs of data breaches go “far beyond the initial incident response and customer notification costs.” The SANS Institute survey found that “about one third of organizations are able to remediate breaches within a week of detection, and the greatest financial impact from breaches extended months and even years beyond the event for the majority of organizations.” The survey looked at how nearly 60 organizations coped with breaches and found more than 40% said the greatest impact from the breach was felt one to 12 months after the incident. Some of that was because of unforeseen required actions necessary for forensics or data recovery. [Dark Reading]

US – OTA Releases 2016 Data Protection & Breach Readiness Guide

91% of breaches are avoidable. The best defense is implementing a broad set of operational and technical best practices that helps protect your company and your customers’ personal data. The second step is to be prepared with a data lifecycle plan that allows a company to respond with immediacy. Ultimately, industry needs to understand that effectively handling a breach is a shared responsibility of every functional group within the organization. A key to success is moving from a compliance perspective to one of stewardship. This perspective recognizes the long term impact to a brand, the importance of consumer trust and implications and considerations with vendors and business partners. The OTA Guide Guide includes risk assessment guide for service providers, check lists for cyber insurance, security best practices, incident reporting forms and remediation service check lists and more. [OTA Alliance] [Cyber Attackers Focusing on Targets With Most Valuable Data] [https://otalliance.org/Breach]

Finance

WW – Insurers Will Look for Evidence of Appropriate Cyber Defenses for Cyber Insurance Policies in 2016

Insurers who provide cyber insurance are not convinced enterprises are doing enough to protect their digital assets. A recent study from CSO outlines some major changes coming to cyber security insurance in 2016: Cyber insurance will move toward a “must have” and “evidence based” model with new minimum level requirements in place for policies. This is expected to disrupt the cyber security industry and place new challenges on IT workers. However, it is good news for customers because it drives improvements to companies’ ability to handle threats and protect customer information. (RSA)

WW – Survey: Half of IT Pros Don’t Know Where Their Payment Data is Stored

A recent study indicates a “critical need” for organizations to improve their payment data security practices. A study by Gemalto of more than 3,700 IT professionals found 54% said their companies had experienced a data breach involving payment data “an average of four times in the past two years,” and 55% said they don’t know where their payment data is stored. Meanwhile, researchers say they’ve found four vulnerabilities in Lenovo ShareIT, which they say could mean data leaks. [InformationAge]

CA – Disclosure of PI for Purposes of Debt Collection: How Far Can You Go?

The applicable federal private sector legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA), allows the disclosure of personal information about an individual without their consent for the purpose of collecting a debt owed by the individual. However, based on the position reportedly taken by the Privacy Commissioner in this case, publicly posting private financial information of identifiable individuals does not fit within the ambit of the exception and the exception does not give a blanket permission to indiscriminately disclose a debtor’s personal information. [Lexology]

FOI

CA – Info Commissioners Call on Governments to Create a Duty to Document

Canada’s Information Commissioners have called on their respective governments to create a legislated duty requiring public entities to document matters related to their deliberations, actions and decisions.

In a joint resolution, information commissioners expressed concerns about the trend towards no records responses to access to information requests. This lack of records weakens Canadians’ right of access and the accountability framework that is the basis of Canada’s access to information laws. Without adequate records, public entities also compromise their ability to make evidence based decisions, fulfill legal obligations, and preserve the historical record. Canada’s information commissioners have urged governments to create a positive duty for public servants and officials to create full and accurate records of their business activities. This duty must be accompanied by effective oversight and enforcement that ensures Canadians’ right of access to public records remains meaningful and effective. [Source]

CA – BC OIPC Rejects Third Party’s Assertion that Contract Information is Supplied and Subject to Exemption from Disclosure

This OIPC order reviews the Ministry of International Trade and Ministry Responsible for Asia Pacific Strategy and Multiculturalism’s decision not to withhold records requested under B.C.’s Freedom of Information and Protection of Privacy Act. The information does not meet the second part of a 3-part test because it is not supplied to a government ministry, but negotiated; the disputed information contains the sort of detail about contractual arrangements that would have been susceptible to change through negotiation, and it is clear that an agreement was reached between the parties to amend certain obligations of an existing contract. [OIPC BC – Order FEW-71 – Ministry of International Trade and Ministry Responsible for Asia Pacific Strategy and Multiculturalism]

CA – The Northwest Territories’ Health-Specific Privacy Legislation In Effect

The Northwest Territories have enacted the Health Information Act, SNWT 2014, c 2 (HIA) which took effect on October 1, 2015. The HIA sets out rules for the collection, use and disclosure of personal health information; the Act is designed to protect health information and facilitate the provision of health services. Much like the health privacy statutes of other provinces, the HIA recognizes the sensitive nature of personal health information, which is frequently shared in the provision of health care and the management of our publicly funded health care system. Other Canadian provinces and territories have similar legislation, including Alberta, Saskatchewan, Manitoba, Ontario, Newfoundland and Labrador, New Brunswick, Nova Scotia, British Columbia and Quebec. Similar laws have also been passed in Prince Edward Island (Bill 42 – Health Information Act) and Yukon (Bill 61 – Health Information Privacy and Management Act), but have yet to be enacted into force. [Lexology]

Health / Medical

US – Academy of Family Physicians Clarifies HIPAA Disclosure Amendments

The American Academy of Family Physicians clarifies the amendments to the HIPAA Privacy Rule. Covered entities can disclose the minimum necessary identifying information about individuals who have been involuntarily committed to a mental health institution, lack the mental capacity to manage their own affairs, or have been determined to be a danger to themselves or others; the Rule is not applicable to most health care professionals and diagnostic or clinical information may not be disclosed. [Modified HIPAA Rule Allows Limited Reporting of Patient Information – American Academy of Family Physicians]

US – Health Care Entities Unite for Privacy’s Sake

In an effort to curb cyberattacks, privacy gaffes and HIPAA breaches, the Electronic Healthcare Network Accreditation Commission and the National Health Information Sharing and Analysis Center have become allies, with plans to initiate blended teams to analyze threats, present research, and plan education events. “We are our own worst enemy, and if we don’t come together and share information, the bad guys are sharing information, and shame on us,” said NH-ISAC President. “The collaboration is significant, because there’s growing need for healthcare organizations to share threat level data,” the report adds. “This information has been ineffectively shared in the past because of competitive pressures and the disjointed nature of the industry.” [HealthData Management]

US – HIPAA Modified in Light of President Obama’s Executive Order

The U.S. Department of Health and Human Services’ Office of Civil Rights updated HIPAA in accordance with President Obama’s executive order regarding firearms. Entities under the HIPAA umbrella will be able to provide the National Instant Criminal Background Check System with the identities of individuals with a “mental health prohibitor” that would prevent them from “transporting, possessing or receiving a firearm,” starting Feb. 5 of this year. The revision “does not apply to most health care providers, allows only limited demographic and certain other information needed for the purposes of reporting to the background check system, and specifically prohibits the disclosure of diagnostic or clinical information from medical records or other sources.” [National Law Review]

US – FDA Issues Medical Device Cybersecurity Draft Guidance

The US Food and Drug Administration (FDA) has issued draft guidance, “Postmarket Management of Cybersecurity in Medical Devices,” for device manufacturers. In October 2014, the FDA issued guidance for medical device manufacturers regarding building cybersecurity into their product from the beginning of the development process. [News-Medical] [GovInfoSecurity] [January 2016 Draft Guidance] [October 2014 Guidance]

Horror Stories

US – LinkedIn’s Individual Payment in Data Loss Settlement Sets It Apart

Class counsel has dubbed the $13 million, $16-per-victim LinkedIn class-action settlement “particularly impressive” in comparison to the outcome of other cyber privacy suits due to the individual-by-individual payoff. More than 550,000 LinkedIn netizens reported that they were victims of the company’s misuse of contact information after it sent invitational emails to user connections. In addition to user payment, the settlement requires LinkedIn to improve and clarify its disclosure policy in regards to its “Add Connections” feature, among others. The arrangement is still awaiting final approval by California’s U.S. District Court Judge Lucy Koh. [Media Post]

Identity Issues

FTC: Tax Fraud Behind 47% Spike in ID Theft

In kicking off “Tax Identity Theft Awareness Week,” FTC released new stats showing that the agency received more than 490,000 identity theft complaints last year, a 47% increase over 2014. In a conference call with the news media, FTC Chairwoman Edith Ramirez called tax refund fraud “the largest and fastest growing ID theft category” that the commission tracks. [Source]

US – FTC Announces Significant Enhancements to IdentityTheft.gov

For the first time, identity theft victims can now go online and get a free, personalized identity theft recovery plan as a result of significant enhancements to the FTC’s IdentityTheft.gov website. The new one-stop website is integrated with the FTC’s consumer complaint system, allowing consumers who are victims of identity theft to rapidly file a complaint with the FTC and then get a personalized guide to recovery that helps streamline many of the steps involved. [FTC Press Release]

Intellectual Property

WW – Netflix Cracking Down On Proxy Users

Netflix says it’s going to crack down on customers using VPN software to access content that isn’t available or licensed in their country of origin. “Some members use proxies or ‘unblockers’ to access titles available outside their territory,” the company said in a statement. “In coming weeks, those members using proxies and unblockers will only be able to access the service in the country where they currently are.” The move is aimed at appeasing content producers’ licensing agreements with Netflix. [TechCrunch]

Internet / WWW

WW – Winners of FPF Best Privacy Papers Announced

The Future of Privacy Forum announced its choices for the best privacy research papers of 2015 at the Sixth Annual Privacy Papers for Policymakers. The winners were Florian Schaub, Rebecca Balebako, Adam L. Durity, and Lorrie Faith Cranor, for “A Design Space for Effective Privacy Notices“; Ira S. Rubinstein and Woodrow Hartzog’s “Anonymization and Risk“; Arvind Narayanan, Joanna Huey, and Edward W. Felten’s “A Precautionary Approach to Big Data Privacy“; Ryan Calo’s “Privacy and Markets: A Love Story,” and Neil Richards and Woodrow Hartzog’s “Taking Trust Seriously in Privacy Law.” Honorable mention went to Peter Swire for “Going Dark: Encryption, Technology, and the Balance Between Public Safety and Privacy“ and Joel R. Reidenberg’s “The Transparent Citizen.” A summary of each of the winning papers can be found here. [FPF]

Law Enforcement

US – CDT Sides with ACLU on Unconstitutionality of Sex Offender Regulations

A Center for Democracy & Technology amicus brief for the Sixth Circuit’s Doe v. Snyder case supports the ACLU of Michigan’s assertion that the online registration regulations for former sex offenders are indeed a constitutional breach, the organization said in statement. “The district court wrongly concluded that the identifiers requirement does not infringe registrants’ constitutionally protected right to engage in unidentified expression, because the law does not unmask their anonymity to the public. But the right to speak without identifying oneself or one’s content to the government is critical — particularly for engaging in expression that may be controversial or highly personal,” the statement reads, adding that the regulation does not further state any plans for data protection. “We urge the Sixth Circuit to hold Michigan’s ‘Internet identifiers’ requirement to that standard and declare it unconstitutional on its face,” the report continues. [CDT.org]

Location

US – ALPR “Unprecedented Threat to Privacy”

Throughout the United States—outside private houses, apartment complexes, shopping centers, and businesses with large employee parking lots—a private corporation, Vigilant Solutions, is taking photos of cars and trucks with its vast network of unobtrusive. A private company has captured 2.2 billion photos of license plates in cities throughout America. It stores them in a database, tagged with the location where they were taken. And it is selling that data. [The Atlantic]

WW – Industry Group Issues Safeguards to Mitigate Privacy Risks Associated with Location Tracking

The International Working Group on Data Protection in Telecommunications issued a working paper on location tracking in mobile devices. Privacy risks of location tracking of mobile devices includes covert collection of device specific identifiers, and the combination of tracking data with other online/offline information; recommendations include conducting a PIA, notifying individuals, limiting the bounds of data collection, anonymising data without delay, appropriate retention of individual level data, consent for combination with other information and for sharing of individually identifiable data with third parties, and implementing a simple and effective means to control collection. [Working Paper on Location Tracking from Communications of Mobile Devices]

Online Privacy

WW – Skype Now Hides Your Internet Address

Ne’er-do-wells have long abused a feature in Skype to glean the Internet address of other users. Indeed, many shady online services that can be hired to launch attacks aimed at knocking users offline bundle so-called “Skype resolvers” that let customers find a target’s last known location online. At long last, Microsoft says its latest version of Skype will hide user Internet addresses by default. [Krebs]

Privacy (US)

EU – Schrems Responds to US Lobby Groups on Safe Harbor

In a brief but clearly argued letter to European data protection authorities, Max Schrems writes that “attempts by lobby groups and the US government to ‘reinterpret’ or ‘overturn the clear judgement of the Union’s highest court are fundamentally flawed.” Schrems brought the successful case to theEuropean Court of Justice that struck down the Safe Harbor arrangement. The Schrems letter, released on International Data Protection Day, also states that a new transfer agreement must provide “protection against government surveillance and “essentially equivalent” protection against the commercial use of data by certified companies.” Max Schrems received the 2013 EPIC Champion of Freedom Award.

US – Law Firm Argues US, EU Privacy Laws ‘Essentially Equivalent’

A recent report from a US law firm concludes that the US offers essentially equivalent privacy protection to Europe. The report also finds that “This body of laws ensures that government access to data for law-enforcement and intelligence purposes is limited to what is necessary and proportionate.” However, all travel records of Europeans are routinely transferred to the US Department of Homeland Security without any legal protection, and under Section 702 of the Patriot Act, the US government routinely obtains vast amounts of personal data on non-US persons, including communications logs and website activity. Executive Order 12333 provides even broader surveillance authorities. [Sidley Austin LLP: “Essentially Equivalent” (Jan. 2016)]

US – FTC Issues Privacy Update Report

The FTC announced the publication of its Privacy & Data Security Update 2015. The report aims to highlight the agency’s commitment to ensuring consumers are able to reap “the benefits of innovation in the marketplace, confident that their personal information — online and offline — is being handled responsibly,” citing a host of its 2015 initiatives, from the PrivacyCon event to its IdentiyTheft.gov, as evidence of meeting that goal. “Each of our projects in the privacy and data security arena has been informed by a central message: Even in the face of rapidly changing business models and technologies, companies still need to follow fundamental privacy principles.” [FTC]

US – Wyoming Legislature to Consider ‘Right to Privacy’

The Wyoming State Legislature will debate whether Wisconsin voters will vote on the addition of privacy as a citizen’s right in the state’s constitution. This will be the second attempt by privacy advocates to get the legislature to consider such an addition, after it was thrown out last year for imprecise language and confusing implications. This measure specifies that it “wouldn’t deprive people of the right to inspect public records or observe government operations” and has the support of the chief information officer for the State of Wyoming. According to the National Conference of State Legislatures, 10 other state constitutions already recognize citizens’ right to privacy. They are: Alaska, Arizona, California, Florida, Hawaii, Illinois, Louisiana, Montana, South Carolina and Washington. [ABC News]

US – ACLU Leads Privacy Charge In 16 States

Frustrated with the lack of federal leadership on privacy issues, the ACLU has orchestrated a rollout of state-level legislation that would work to make privacy regulations more sophisticated across 16 states. The ACLU has found allies in exasperated legislators as well. Regarding privacy issues, “our federal gov­ernment didn’t take the lead and should have taken the lead,” said Rep. Peter Lucido, R-Mich., adding, “But now it left us all to go ahead and fend for ourselves at the state level.” The bills cover everything from law enforcement surveillance to student and employee privacy rights. “This movement is about seiz­ing control over our lives,” said the ACLU’s Anthony Romero. “Everyone should be empowered to de­cide who has access to their personal information.” [The National Journal]

US – New York Bill Requires Mobile Devices to Have an Enabled Solution to Render the Device Permanently Inoperable

Senate Bill S.51, the Smartphone and Tablet Security Act, was introduced in the New York State Senate and referred to the Consumer Protection Committee. Owners of devices sold after January 1, 2016 must be able to disable voice communications, connections to the internet, and access and use of mobile software applications when the device is no longer in their possession; these features can be disabled by consumers after purchase (but not by retail sellers). [S.51 – The Smartphone and Tablet Security Act – New York Senate]

US – EPIC Gives 2016 Freedom Award to Viviane Reding

EPIC has presented the 2016 International Champion of Freedom Award to former EU Justice Minister Viviane Reding. Ms. Reding led the effort in the European Common for adoption of the new European privacy law, the General Data Protection Regulation. The EPIC award was presented January 27, 2016, at the annual Computers, Privacy & Data Protection conference in Brussels. [EPIC]

US – How Facebook Tracks and Profits from Voters in a $10bn US Election

The Cruz campaign is using Facebook to target voters on a range of broad issues like immigration controls to niche specific causes such as abolishing state laws against the sale of fireworks. Facebook told investors it was “excited about the targeting”, and does not let candidates track individual users. But it does now allow presidential campaigns to upload their massive email lists and voter files – which contain political habits, real names, home addresses and phone numbers – to the company’s advertising network. The company will then match real-life voters with their Facebook accounts, which follow individuals as they move across congressional districts and are filled with insightful data. The data is encrypted and not maintained by Facebook after ads run, the company said. Acxiom, a massive data broker based in Little Rock, Arkansas, helps campaigns upload the voter info. But a campaign operative said the Texas senator has been using Facebook ads to raise money, among other things, and a Guardian analysis shows Cruz-affiliated donors are spending $10,000 per day on Facebook “placement” as the first vote nears. [The Guardian]

Privacy Enhancing Technologies (PETs)

UK – Government Rolls Out Massive Blockchain Report

In a major 88 page tome on Blockchain and distributed ledgers, the UK Government’s Chief Scientist sets out how this technology could transform the delivery of public services and boost productivity. The UK report states that Blockchain technology could provide government with new tools to reduce fraud, error and the cost of paper intensive processes and it also has the potential to provide new ways of assuring ownership and provenance for goods and intellectual property. The report also includes a lengthy look at Estonia who is already moving quickly to adopt distributed ledgers — and the case study of Estonia shows how quickly a small country with an effective digitally-aware leadership can progress and considers the features of advancing digital nations. [Source] See also: [Privacy on the Blockchain: Exploring the Blockchain technology and its privacy potential]

Security

WW – Study: Cybersecurity Fears Top Terrorism, Climate Worries

The World Economic Forum’s annual Global Risks Report named cybersecurity among its gravest industry threats, ranking higher than terrorism and climate change. This is the third time in a row that the issue has made the study. “As the Internet of Things leads to more connections between people and machines, cyber dependency — considered by survey respondents as the third most important global trend — will increase, raising the odds of a cyberattack with potential cascading effects across the cyber ecosystem.” [SC Magazine]

CA – Regulator Issues Vendor Risk Assessment and Cyberincident Checklist

The Investment Regulatory Organization of Canada (“IIROC”) has issued a guide for vendor risk management for small and mid-sized Dealer Members. Assessing vendor risk requires a detailed response from vendors regarding their consideration of issues such as vendor controls, security architecture, information system configuration, access controls, security monitoring, physical security, contingency planning, and their business associates. [Vendor Risk Management – Investment Industry Regulatory Organization of Canada] Organizations should undertake activities before an incident (e.g. create a prioritized list of information assets critical to the functioning of the organization), during an incident (e.g. convene one teleconference to discuss what is required to restore operations), and after an incident (e.g. discuss any changes in process or technology needed to mitigate future incidents [Cybersecurity Best Practices Guide – Investment Industry Regulatory Organization of Canada]

WW – Software Bugs Rampant in Home Wi-Fi Routers

There has been a proliferation of software bugs in basic home Wi-Fi routers and the subsequent difficulty in getting security patches out to users. In one example, a bug that was fixed by Allegro Software Development nearly 10 years ago was still found to exist in more than 10 million devices. It turns out that a router manufacturer had been including the pre-2002 version of Allegro’s software on new routers. “The router flaw highlights an enduring problem in computer security: Fixing bugs once they have been released into the world is sometimes difficult and often overlooked,” the report states. [Wall Street Journal]

Smart Cars

US – Auto Industry, DoT Agree on Cybersecurity Best Practices

The U.S. Department of Transportation and 17 automakers have reached an agreement designed to improve safety and increase the sharing of cyber-threat information. With regard to cybersecurity, the automakers — including General Motors, Ford, and Toyota — also agreed to suggest best practices, share lessons learned, and work with the info-sharing and analysis center created by the auto industry last year. The group released a list of “proactive safety principles” that aim to help the industry improve cybersecurity. The list includes plans to create an automotive industry Information Sharing and Analysis Center (ISAC). Automobile supply companies will be urged to join as well. The car makers also want to work with bug hunters. [ComputerWorld] [Wired] [Proactive Safety Principles 2016] Last year, security specialists successfully hacked into and took control over a connected car, prompting a first-of-its-kind recall by Fiat-Chrysler. [Bloomberg]

CA – OIPC AB Issues PIA Guidelines for Auto Insurers Offering Usage-Based Insurance Programs

The Alberta Office of the Information and Privacy Commissioner issued privacy impact assessment guidelines for insurers implementing usage-based insurance programs. When submitting a PIA for review, details should be provided about the organization’s management structure, policy management, training, incident response, and access and correction requests; an analysis of program-specific privacy topics should be completed (such as information flow, notifications, consent, contracts, agreements and use of PI outside Canada) and include a description of access controls, mitigation plans and monitoring procedures. [OIPC AB – Privacy Impact Assessment Guidelines for Insurers]

EU – European Commission Issues Recommendations for Data Protection and Privacy in Intelligent Transport Systems

The European Commission Cooperative Intelligence Transport Systems (“CITS”) Platform Working Group issued its final report relating to privacy and data protection in the context of CITS. Messages sent between vehicles and the IT infrastructure raises potential concerns because of the potential indirect identification of users; a list of clearly identified applications where consent is necessary should be accessible to drivers and all situations where secondary use or re-purposing of data may take place should be identified. [European Commission – C-ITS Platform Final Report]

EU – Security and Privacy Challenges in Developing an EU Legal Framework for Automated Vehicles

The European Parliamentary Research Service issued a report on data protection and cyber security in automated vehicles. Connected cars can generate, store and transmit users’ personal data (route to work, time of driving, appointments, etc.) that have significant potential for other uses; the connection between the in-vehicle system and the vehicle manufacturer’s central server has to be secure to prevent unauthorised disclosure and manipulation. [European Parliamentary Research Service – Automated Vehicles in the EU]

Surveillance

US – NSA Civil Liberties and Privacy Office Issues Results of Assessment of its Metadata Collection

The Civil Liberties and Privacy Office at the NSA issues a report on a privacy impact assessment examining implementation of changes effected by the USA FREEDOM Act. Collection of call record details satisfies the transparency principle through release of detailed implementation information and mandatory reporting requirements (i.e. number of targets, unique identifiers used and search terms); the principle of data minimization is satisfied because only telephone metadata can be collected, records that do contain foreign intelligence information must be promptly destroyed and data can only be retained for a maximum of 5 years. [NSA Civil Liberties and Privacy Office – Transparency Report – the USA FREEDOM Act Business Records FISA Implementation]

US – California Police Department Uses Stingrays from Planes

According to documents obtained by the ACLU, the police department in Anaheim, California, has used surveillance technology that has been referred to as “stingray on steroids.” Known as Dirtboxes, the powerful cell-site simulators are mounted on airplanes to collect data on thousands of phones at once — listening to conversations, reading emails and text messages — beginning in 2009. A California state law that came into effect on January 1, 2016 requires law enforcement agents to obtain a warrant before using a cell-site simulator. [Ars Technica] [Wired] [Document Cloud] [BuzzFeed] SEE ALSO: [Hailstorm surveillance tool in privacy advocates’ crosshairs]

US – Commonwealth Court Rules Pro-Police In Phone Rummaging Case

Massachusetts Supreme Judicial Court ruled in favor of police officers who obtained a warrant to search a suspect’s iPhone and checked both his texts and photographs. The defendant argued that police only had probable cause to inspect his texts. “Communications can come in many forms including photographic,” the majority opinion countered. “So long as such evidence may reasonably be found in the file containing the defendant’s photographs, that file may be searched.” Critics are calling for new regulations to protect mobile privacy. “We need very clear standards for police officers who are issuing warrant applications,” said the ACLU Massachusetts. [Ars Technica]

US – Report Says the Threat of “Going Dark” is Overstated

A report from Harvard’s Berkman Center for Internet & Society, titled, “Don’t Panic: Making Progress on the ‘Going Dark’ Debate,” says that US law enforcement’s concerns about encryption allowing terrorists to “go dark” overstate the problem. The report said that while encryption may hinder some surveillance activity, the increasing spread of Internet connected devices can “likely fill some of these gaps and … ensure that the government will obtain new opportunities to” conduct surveillance. [The Hill] [ComputerWorld] [ZDNet] [CNET] [New York Times] and also: [Hillary Clinton Hints At Apple, Facebook Compromise Over Encryption]

US – NYC Dept of Consumer Affairs Investigating Baby Monitor Security

The New York City Department of Consumer Affairs is investigating baby monitors that are vulnerable to attacks. The agency has sent subpoenas to four as-yet unnamed companies asking for information about the way they address the security of their products. It has also posted an alert for consumers that includes advice on how to protect their monitors. [NBC News] [Wired] [NYC.gov] [NYC launches investigation into hackability of baby monitors ]

Telecom / TV

CA – Cell Phone Evidence Should Not Be Excluded: Ontario Court

The Ontario Superior Court of Justice considers an application by an arrestee to exclude from evidence at trial his cell phone and cell phone number, pursuant to the Canadian Charter of Rights and Freedoms. Defendant has only a low privacy interest in the cell phone and the number (e.g. it is less personal than health records and the call log was acquired only after obtaining judicial authorization); Defendant himself made reference to his cell phone after he had been given the opportunity to consult with his counsel, and the cell phone number could have been extracted from the cell phone itself (which was already in police possession). [Her Majesty the Queen v. Andre Palmer – 2016 ONSC 153 – Ontario Superior Court of Justice]

CA – Ontario Court: Production Order for Cell Tower Information is Unreasonable Search and Seizure

The Ontario Superior Court of Justice issued a decision on the application by Rogers Communications and Telus Communications to revoke a production order pursuant to section 487.012(5) of the Criminal Code. The required disclosure of personal information was beyond what was reasonably necessary to gather evidence, such as bank and credit card information, information of any subscriber near to the scene, and the location of the other party to the call (who could be far removed from the crime scene); production orders should include an explanation of why the requested information is relevant, details to conduct a narrower search and request a report based on the data (not the data itself). [Her Majesty the Queen v Rogers Communications Partnership and Telus Communications Company – Ontario Superior Court of Justice – Court File No CRIMJ P 299-14] See also: [Dragnet No More? Recent guidance on production orders] and also: [D. Fraser: Tower dump case raises troubling questions about law enforcement and privacy] and [Canadian Judge Offers Guidelines to Make Cellphone Surveillance Less Intrusive]

US – NY Bill Requires Smartphones to be Decrypted or Unlocked by Manufacturers or System Providers

Assembly Bill A8093, relating to the Manufacturing and Sale of Smartphones That are Capable of Being Decrypted and Unlocked by the Manufacturer was introduced in the General Assembly. An Assembly Bill, if passed, would require that any smartphone that is manufactured on or after January 1st, 2016, and sold or leased in New York, be capable of being decrypted and unlocked by its manufacturer or its operating system provider; the seller or lessor of any smartphone that is not capable of being decrypted and unlocked will be subject to a civil penalty of $2500 for each smartphone sold or leased (a civil suit may be brought by the attorney general or the district attorney). [AB A8093 – An Act to Amend the General Business Law in Relation to the Manufacturing and Sale of Smartphones That are Capable of Being Decrypted and Unlocked by the Manufacturer]

US Government Programs

US – New US Government Agency Will Handle Background Checks

The White House has announced that a new agency will assume the job of conducting background checks on contractors and government employees. The Office of Personnel Management’s (OPM) Federal Investigative Services (FIS) will become part of the National Background Investigations Bureau (NBIB). “The Department of Defense will assume the responsibility for the design, development, security, and operation of the background investigations IT systems for the NBIB.” [FCW] [Whitehouse.gov] [NextGov] [The Hill] [v3.co.uk]

WW – FIDO Issues Privacy White Paper

The FIDO Alliance has issued a new Privacy White Paper to mark Data Privacy Day explaining how FIDO’s protocols and specifications help to protect user privacy; as the consortium put it in a synopsis, “there is no privacy with security.” FIDO points to recent research on data breaches indicating that 95% of web app hacks rely on stealing customer credentials from mobile devices—and of course those credentials are virtually all passwords. FIDO’s goal is to replace archaic password-based security systems with more advanced frameworks incorporating measures like risk-based authentication and two-factor authentication. Security systems that adhere to FIDO protocols don’t involve third parties, keep biometric data on the user’s device, require user consent for the release of data, and incorporate many other principles designed to ensure that user data is protected behind advanced authentication apparatuses. [MobileIDWorld]

US Legislation

US – Senate Marks Data Privacy Day With Passage of Critical Bill for Safe Harbor

The US Senate celebrated Data Privacy Day by passing a critical piece of legislation that will extend US privacy rights to Europeans. The Judicial Redress Act passed the Senate’s Judiciary Committee this week, putting it in front of the full Senate and making it a virtual certainty to become law. The Act will extend the same privacy rights that US citizens enjoy to European citizens, and will provide European citizens with the right to proper judicial redress over how their data is handled by American corporations and the US government. Europeans will be able to access records about themselves collected by the US government, and amend those records. It the records are disclosed unlawfully, they will be able to sue. [Source]

US – Sweeping Vermont Privacy Bill Passes State Senate

The legislation would restrict the use of drones by state and local law enforcement, generally prohibit police from obtaining electronic data (including emails, web browsing history, call and text message content, location information and files stored on third party servers such as the “cloud.” ) from service providers without a warrant or judicially issued subpoena, and would also provide some restrictions on sharing of data gathered by automatic license plate readers in the Vermont. The bill does not place limits on the use of ALPRs for “legitimate law enforcement purposes,” but it does require data to be destroyed after 18 months unless the law enforcement agency obtains a warrant, or if the plate data is relevant to the defense of a pending or reasonably anticipated charge or complaint. Under the proposed law, state and local law enforcement could share data with other agencies for a “legitimate law enforcement purpose,” but the receiving agency must adhere to the date retention limits under the state law. [Source] The bill passed with no recorded opposition. See also: [Missouri state Rep. Ken Wilson has proposed a bill to exempt police body camera footage from Freedom of Information Act requests when there is a reasonable expectation of privacy] and [Washington, DC, Council member David Grosso has introduced a bill to protect student privacy]

Workplace Privacy

CA – Court Finds Employee Incident Did Not Meet Threshold to Warrant Drug or Alcohol Testing

The International Brotherhood of Electrical Workers on behalf of George Degg file a grievance against Jacobs Industrial for violations of the Grievor’s privacy. The privacy interest of the employee should prevail over the company’s desire to positively rule out the possibility of drugs or alcohol as a factor in a vehicle accident given that minimal damage was caused (less than $5,000 in repairs) and the link between the employee’s situation and the incident (the employee had no record of safety violations, sign of impairment, injury from the accident or evidence of a potential for greater damage). [Jacobs Industrial v International Brotherhood of Electrical Workers – 2016 CanLII 198 – ON LA]

US – Study: Employee Data Not Encrypted to Level of Customer Data

A new Sophos global study of organizational security techniques found that employee data protection falls far below the organization’s treatment of customer data in mid-sized organizations, with nearly one-third of companies not routinely encrypting employee financial information and nearly 50% not doing the same for health care records. The results aren’t necessarily all bad. “Two years ago, the number of them not encrypting was in the 75% range. The fact that we’re going toward the 50-50 range is actually an awareness on their part that they don’t want to be [the organizations] in the press.” [DarkReading]

US – Census Bureau Decides Against BYOD

The US Census Bureau has decided not to allow employees to use their own Internet-connected devices while gathering information for the 2020 census. Instead, the bureau will procure devices that will run its Compass application, which runs on multiple operating systems. [FCW]

+++

 

09-15 January 2016

 

Biometrics

CA – Candid Facial-Recognition Cameras to Watch for Terrorists at Border

Canada’s border agency plans to compare images of people arriving in the country with photographs of suspects on watchlists to keep out alleged terrorists and other criminals. In his recently released annual report, privacy commissioner Daniel Therrien says his office provided advice on the potential pitfalls, including the possibility of “false positives” that could result in unnecessary secondary screening for travellers. The office also urged the border agency to assess the risks of using such technology, including issues that might arise during testing phases. [Source]

US – Court rules Shutterfly May Have Violated Privacy by Scanning Face Photos

A US federal judge has denied a motion to dismiss a civil case against photo-sharing site Shutterfly that claims the company violated users’ privacy by collecting and scanning face geometries from uploaded images without consent. The first of its kind ruling could open the door to future class-action lawsuits against Shutterfly and other social networks that use facial recognition technology without an opt-in policy. [Source] [Court Ruling on Shutterfly Face Scans Could Spell Trouble for Facebook]

Canada

CA – Ontario Court Provides Clear Guidance on Privacy and “Tower Dumps”

The Ontario Superior Court released an important decision in R. v. Rogers & Telus, 2016 ONSC 70 which provides police and prosecutors with clear guidance on when and how they can obtain telco customer information through “tower dumps”. Tower dumps are the production of all the records of a cell phone tower at a particular time. Since your mobile phone is always communicating with at least one tower, tower dumps can tell the police who is in the vicinity of a particular location at a particular time. They are really troubling or problematic because the records overwhelmingly contain information about people who have nothing to do with the underlying investigation. [David Fraser blog] See also: [Rogers, Telus Await Landmark Ruling on Cellphone Privacy] See also: [Police sweeps of cellphone records violate privacy rights, judge rules] [Ontario court rules police orders breached cellphone users’ Charter rights] and [Why Canada’s Telecom Regulator Is Suddenly Acting More Like the Cops]

CA – Thousands Flagged by Canada’s New Air Passenger Screening System

Canada’s new security system for scrutinizing people who arrive by airplane singled out more than 2,300 passengers for closer examination during a recent three-month period, the federal border agency says. The CBSA says the travellers – flagged for possible links to terrorism or serious crime – represented a tiny fraction of the millions who flew into the country. Still, privacy and civil liberties watchdogs want to know more about the border agency’s so-called scenario-based targeting system to ensure individual rights are not being trampled. The agency has implemented the targeting system, already used by the United States, as part of Canada’s commitment to co-operate with Washington under the 2011 continental security pact known as the Beyond the Border initiative. Privacy Commissioner Daniel Therrien is pressing the border agency to explain the program’s rationale and build in safeguards to protect individual liberties. Travellers may be targeted if they fit the general attributes of a group due to traits they cannot change such as age, gender, nationality, birthplace, or racial or ethnic origin, he warns. [Source]

CA – Canada’s Military Plans to Monitor the World’s Social Media

Canada’s military wants to monitor and analyze the world’s social media streams, with 24/7 access to real-time and historical posts on websites like Twitter, Facebook, and Instagram. And they don’t want anyone knowing it’s them doing the monitoring, either. The Department of National Defence and its research wing, Defence Research and Development Canada, are in the market for a new Internet monitoring platform that can analyze and filter the daily firehose of social media posts. The platform envisioned by the military will pull from the most popular social media sites — Twitter, Facebook, YouTube, Instagram — but will also track data from a much broader range of websites. Blogs, message boards, Reddit, even the comment sections on news sites will be brought in for review and analysis by as many as 40 intelligence officers. A spokesman for DND said the platform is not intended to be directed at Canadians’ online activity, and will comply with Canadian privacy laws. [The Star]

CA – Greg Clark Demands Fresh Probe into Alberta Shred-Gate Scandal

Nearly 350 boxes of documents destroyed improperly by outgoing PC government, privacy commissioner says Calgary MLA Greg Clark says the NDP must bring in new rules and penalties. “What’s important is that the rules are clear about what can be destroyed, and when it’s destroyed and why it’s destroyed and that we have a record of it having been destroyed and what it was before it was destroyed.” [CBC News]

CA – MP McGuinty to Chair Parliamentary Committee to Monitor Spying, Security

The Liberals are planning to table legislation by June creating the first all-party committee of parliamentarians to monitor the top-secret operations of Canada’s expanding national security establishment. public opinion polling shows many Canadians want a tighter watch over spy agencies and other federal intelligence gatherers, commensurate with their extended powers under C-51. [Source] [Canada campaigners to demand public debate on controversial anti-terror law ]

CA – Goodale says Canada Must Be ‘World Leader’ in Tackling Radicalization

Public safety minister promises more money for RCMP to fight home-grown extremism Responding to questions about recent media reports about children and others erroneously tagged on the no-fly list and flagged as national security risks, Goodale said existing regulations do not require secondary screening for children under 18 years of age. Airlines may be “going beyond what they are required to do,” he said. “They may have been misinformed or confused about the application of the rules.” Goodale also provided more details on ways the government could strengthen the no-fly list to ensure children aren’t erroneously barred from flights or subject to secondary screening. [Source] [Government may take extra steps to examine security agencies: Goodale]

CA – Pilot Project Has Victoria Buses Equipped With Audio Security

B.C. Transit has added audio security equipment to 109 buses already equipped with security cameras, all part of a pilot project to see how much the safety of operators and passengers can be improved by such devices. As of Monday, the audio will always be on in the operator’s compartment, at least until April, when the one-year $400,000 pilot project concludes. All but 25 of the buses are in Victoria; the remainder are in Kamloops. The change means that Transit conversations between the operator and a passenger will be recorded. “The audio recording is always on, just like the camera system, from the time the bus turns on until it is off. If there is an incident, the operators push a ‘tag’ button, which allow us to find it and download it after an incident.” As well as audio coming onstream, Monday marked the activation of two external side-mounted cameras on 13 buses in the Victoria fleet. Officials from the BC OIPC have talked to Transit security staff about surveillance concerns, but nothing has changed since commissioner Elizabeth Denham raised concerns in April. [Times Colonist] See also: [CA – The thorny issue of retention periods – Insurers Beware]

Consumer

US – Majority of Parents Monitor Their Teens’ Digital Activity

The Pew Research Center surveyed parents of 13 to 17-year-olds and found that they’re taking a range of steps to keep track of their kids’ online lives and to encourage them to use technology appropriately and responsibly. [Source]

US – Americans Would Trade Privacy for Safety: Pew Study

When it comes to coaxing personal information out of Americans, a Pew Research Center report found certain factors, like safety, lead to greater acceptance than cost savings can. It turns out that the tipping-point issues in balancing these privacy concerns include: how valuable the benefit survey participants will receive is in return for their personal information, how they view the company or organization that is collecting the data, the length of time that the data is retained, and what is done with this data once it is collected. [Source]

WW – Lack of Trust Deters More Than a Third of Mobile Users From App Use

AVG Technologies and MEF’s global 2016 MEF Global Consumer Trust Report found that more than 36% of consumers have either procrastinated or eschewed some mobile apps altogether due to the privacy concerns the tools raise. This is the fourth consecutive year that concerns of this nature took the study’s top spot. “The data confirms what we know to be true: lack of trust is increasingly becoming a barrier to the use and proliferation of mobile apps,” said AVG’s Harvey Anderson. “One of the most interesting findings was that almost half of the consumers surveyed worldwide were willing to pay more for privacy-friendly apps that ensure that the data collected is not shared with third parties,” he added. [eWeek]

E-Government

US – Contractors Must Ensure Adherence to DoD Interim Order on Cloud Computing and Sub-contracting

Government contractors must undertake to comply with the Department of Defense’s interim rules from August 2015 (cloud computing) and October 2015 (supply chain). Government contractors should ensure that the physical storage location of cloud services is within the United States or outlying areas of the United States, its employees, as well as employees of subcontractors, are aware of and bound by appropriate confidentiality obligations, implement a reasoned process to establish and verify suppliers under covered contracts as “trusted suppliers” (take steps to replace those that are unable to qualify). [Security Developments for Government Contractors – Squire Patton Boggs] See also: [Amazon Will Open First Cloud Data Storage Centers in Canada]

E-Mail

US – Yahoo Agrees to Settle Email Privacy Suit

Yahoo! has agreed to settle a class action challenging the way the company analyzes email messages to serve targeted ads to users of its popular Yahoo Mail service. The deal would settle claims brought on behalf of non-Yahoo subscribers who claimed their messages were intercepted, scanned and stored as part of communications with Yahoo Mail users. The settlement is subject to approval from U.S. District Court Judge Lucy Koh who has been overseeing In re Yahoo Mail Litigation, 13-4980. The proposed settlement doesn’t include a cash payout to class members. However, the company has pledged to make changes to its privacy disclosures and the architecture of its email system. [The Recorder]

Electronic Records

WW – Survey: Credential Theft, Alert Volumes Top List of Concerns

A survey from Rapid7 asked nearly 300 security professionals worldwide to list their top security concerns. 90% of respondents said they are worried about compromised credentials; 60% said they are unable to detect such attacks. 62% of respondents said that their organizations receive more security alerts than they can manage. [The 2015 Incident Detection and Response Survey] [CSO Online] [eWeek]

Encryption

WW – 200 Experts Oppose Backdoors for Encryption

A group of 200 experts have urged the world’s governments not to introduce backdoors into encryption products in an open letter posted this week. echoing sentiments expressed by the Dutch government in a formal position on encryption that was published last week,. The letter addresses itself to “the leaders of the world’s governments” and urges them to support encryption as a way to “protect the security of your citizens, your economy, and your government.” The letter ends with a five-point argument that government should:

  • Not limit access to encryption
  • Not mandate backdoors
  • Not require that third parties have access to encryption keys
  • Not try to weaken encryption standards

Not pressure companies into breaking any of the previous four points [The Register] See also: [French government rejects crypto backdoors as “the wrong solution” ]

US – Juniper Networks Will Replace Questionable Components from its Products

Juniper Networks says it will remove code developed by the NSA from its firewall products. The code was found to silently decrypt traffic sent through virtual private networks. Juniper plans to replace a cryptography component in its ScreenOS operating system. [ArsTechnica] [Wired] [eWeek] [Juniper.net]

US – FTC Fines Encryption Software Company $250,000

Henry Schein Practices Solutions, Inc. has agreed to settle FTC charges that it misled customers about encryption of patient data. An FTC agreement (in effect for 20 years) resolves complaints that a software company deceptively claimed that its product provided industry-standard encryption of sensitive patient information as required by the Health Insurance Portability and Accountability Act; the company is required to notify all affected customers within 60 days, establish a toll free number and email address to respond to inquiries, and provide customer information to enable the FTC to administer consumer redress. [FTC In the Matter of Henry Schein Practices Solutions Inc – Agreement Containing Consent Order]

US – Interior Department IG Finds Laptop Encryption Ineffective

According to an advisory from the US Interior Department’s Deputy Inspector General, misconfigured software on nearly 15,000 department laptops could lead to data theft. Although the full-disk encryption software was initially configured to run pre-boot authentication, settings have been altered so the computers run post-boot authentication, making the data on the systems vulnerable to a specific attack. The advisory recommends that Interior’s CIO “mandate the use of pre-boot authentication on all laptops and implement a monitoring and enforcement program that mitigates noncompliant systems.” [Desert News] [FedScoop] [DOI IG Report] See also: [Ransomware Evolution: Another Brick in the CryptoWall]

EU Developments

UK – Tougher Sentencing Powers Needed to Deter Data Thieves, Says ICO

The UK information commissioner Christopher Graham has called for stronger sentencing powers for people convicted of stealing personal data, after a woman who sold 28,000 pieces of sensitive driver data was fined just £1,000. [The Guardian] [UK privacy watchdog wants to be able to send data thieves to prison: Resumes campaign for new powers] SEE ALSO: [Journalists warned that ‘snoopers’ charter’ bill is part of ‘no privacy for us, no scrutiny for them’ Government strategy] [“UK doesn’t do mass surveillance,” claims Theresa May in bid for new Snooper’s Charter. End-to-end crypto is fine, apparently, but information must be “readable.“ Hmm] [ICO Questions Data Retention Plans Under Snoopers’ Charter Draft] [Here are the warnings from Facebook, Google, other firms about Britain’s proposed “mass surveillance” law] [U.S. Tech Giants Join Forces Against U.K. Spying Plans] [Tech giants call on UK government to ensure new surveillance laws are ‘jurisdictionally bounded’]

EU – EDPS Issues Recommendations for EU Communications Data

The European Data Protection Supervisor has issued guidelines for processing of the following categories of electronic communications data (“eCommunications) for EU Institutions: telephone; email; and internet. Key recommendations include defining the content and conservation period of security logs, ensuring generated statistics are anonymous, informing staff and callers of possible recordings before they happen; ensure covert monitoring of employees undergoes a prior check, has a compelling justification and includes a register of all authorisations and instances of monitoring. [EDPS – Guidelines on Personal Data and Electronic Communications in EU Institutions]

FOI

US – The NSA Said It Needs 4 Years to Answer a FOIA About a Coloring Book

Since at least 2005, the NSA has employed a cast of cartoon cats, squirrels, turtles, and other woodland creatures who like to encourage children to pursue the politically important subject of cryptography and perhaps eventually a job in national security. Crypto Cat and crew espouse many virtues, but “transparency” and “timeliness,” do not appear to be among them. [Source]

CA – BC Judge rules to Open Secret Terror Hearing

B.C. Supreme Court Justice Catherine Bruce ruled that it is possible to protect the privacy and safety of a Canadian Security Intelligence Service source without the need to keep a hearing entirely confidential in connection to the investigation of John Nuttall and Amanda Korody. The fundamental principle of open court means that in-camera hearings should only be used as a last resort when other security measures won’t work, Bruce said in her ruling. “I find there is scope for a more limited order than was originally proposed.” [Source]

US – Librarians Purge User Data to Protect Privacy

US libraries are doing something even the most security-conscious private firm would never dream of: deleting sensitive information in order to protect users. Multiple librarians have pushed back against “national security letters” that would do just that in the name of public safety – a dangerous order to resist, since those letters include a gag order. But in 2005, when the FBI served a national security letter to Connecticut’s Library Connection demanding reading records and hard drives, the librarians resisted with such force that the government capitulated. The American Library Association had their backs, resolving unanimously to “condemn the use of National Security Letters to demand any library records”. [Source]

Health / Medical

US – HHS Unveils New Tools to Help Patients Understand HIPPA Privacy Rules

Federal agency says people too often face obstacles to accessing their health information. “Unfortunately, based on recent studies and our own enforcement experience, far too often individuals face obstacles to accessing their health information, even from entities required to comply with the HIPAA Privacy Rule,” Jocelyn Samuels, HHS director of the Office for Civil Rights wrote. “This must change.” [Source]

UK – NHS-Backed Health Apps ‘Riddled With Security Flaws’

All of the NHS-approved apps audited by a private firm lacked binary protection against code tampering, and most also lacked adequate protection in the transport layer. Flaws also emerged in FDA-approved health apps in use in the US. Arxan found at least two of the Open Web Application Security Project (OWASP) Mobile Top 10 Risks in 90 per cent of the 126 apps investigated. More than 80% of the health apps tested that were approved by the US FDA or the UK NHS were also found to have at least two of the OWASP Mobile Top 10 Risks. The findings are part of Arxan’s 5th Annual State of Application Security Report, which this year focused on healthcare and finance apps. The upshot is that mobile health apps approved by regulatory/governing bodies are nearly as vulnerable as other mobile apps. [Source]

Horror Stories

CA – Halifax Man Finds Apparent Military Hard Drive at Recycling Depot

A 30 G hard drive found at a recycling depot that a Halifax man says contains personal information including the names and numbers of defence personnel has been taken by the military. Pete Stevens said he recovered about 10 G of data from the 30 G hard drive, including 6,000 photos, spreadsheets with the names and numbers of military personnel and their families, and completed applications for security clearance. [CTV News] [CBC: Canadian military investigating after hard drive found at recycling depot]

CA – Sask RN in Deep Over Facebook Posts About Her Granddad

A Prince Albert nurse could be disciplined for writing a Facebook post about the “subpar care” her grandfather received in a Macklin hospital. A registered nurse at St. Joseph’s reported the comments to the Saskatchewan Registered Nurses’ Association (SRNA), the provincial body that regulates nurses. The SRNA charged Strom with professional misconduct. It’s the first time the association has laid such charges against a member for comments made on social media. The SRNA argues Strom violated the provincial Health Information Protection Act by disclosing her grandfather’s confidential health information online, failed to raise her concerns with the appropriate people and tarnished the reputations of St. Joseph’s and its staff. Because Strom identified herself as a registered nurse in her post, she “engage(d) the professional image of registered nurses in general as well as (her) personal professional obligations,” SRNA said in the hearing notice. Strom said she was “shocked” by the charges. “What worries me about this is: Is this going to hinder future family members, who just happen to be health-care workers, from advocating for their family members for fear of retribution from the SRNA?” she asked. “It bothers me.” [Saskatoon StarPhoenix] [Editorial: Questionable case of misconduct] [CBC: Facebook post leaves Prince Albert, Sask. nurse charged with professional misconduct]

Identity Issues

CA – Manitoba Government Approves All-In-One Personal Identification Card

Manitobans will soon have access to an all-in-one personal identification card (PIC). The PIC will integrate a person’s health identification number (PHIN) onto the back of driver’s licences and photo identification cards, which are expected to be issued starting in the fall of 2017, and will be authenticated using industry-proven policies, procedures and practices currently in place at Manitoba Public Insurance. Manitoba Public Insurance already issues photo identification to approximately 92% of health card holders. Anyone who requires a Manitoba Health Card will transition to a new PIC at no charge. Manitoba Public Insurance launched a comprehensive, five-week public and stakeholder consultation process last August. More than 4,000 Manitobans and 29 stakeholder organizations provided input. The full consultation report is available for viewing on the MPI website at www.mpi.mb.ca. [Source]

Online Privacy

EU – German Court Calls Facebook’s Find-a-Friend Function Illegal

A German court has ruled that Facebook Inc.’s current find-a-friend function is illegal, labeling it an unacceptable and intrusive form of advertising. The decision by the Federal Court of Justice this week upholds a previous ruling by a lower court against Facebook, which has faced a number of legal disputes in Europe regarding privacy protection. Facebook’s find-a-friend function accesses users’ email address books and sends invitations to contacts who aren’t yet members of the social-network site. [WSJ]

Privacy (US)

US – Patients Can Sue for Data Breach Based on Data Exposure Alone: Court

A Massachusetts Superior Court judge held that a plaintiff has standing to sue for money damages based on the mere exposure of plaintiff’s private information in an alleged data breach. The court concluded that the plaintiff had pleaded a “real and immediate risk” of injury despite failing to allege that any unauthorized persons had even seen or accessed that information.  This decision is significant for several reasons. First, the case represents a comparatively lax approach to standing, in which alleging the mere exposure of information with the potential for access and misuse by unauthorized persons pleads sufficient injury to establish standing and survive a motion to dismiss. In contrast, in Clapper, the U.S. Supreme Court held that plaintiffs who alleged that the NSA actually had access to their private telephone and email conversations through its surveillance program still lacked Article III standing to sue based on the theory that their communications would be obtained at some future point. In other words, the threat of future injury was insufficient to support Article III standing even where access, not just exposure, to private information was actually alleged. 113 S. Ct. 1138, 1143 (2013). [Source] See also: [US – The new way police are surveilling citizens: Calculating their threat ‘score’]

Security

EU – Companies Unprepared for EU GDPR: Study

IT governance & technology deficiencies impede organizations from complying with “Right to be Forgotten” & EU GDPR By 2018. Although 46% of global organizations received customer requests to remove data in last 12 months, 41% lack defined processes, documentation and technology, according to Blancco Technology Group study. Key corporate security trends that surfaced from the study include: Awareness of GDPR is high (48%) among global IT professionals, but their level of preparation is much lower. 40% admit to being less than fully prepared – with 16% still needing to find the right data removal software, 9% uncertain of how and where to start, and finally, 15% not even knowing if they are prepared. Lack of documentation, processes and tools increases the likelihood of GDPR violations. 60% of the surveyed IT professionals stated that it would take their organisation up to 12 months to implement the necessary IT processes and tools to pass a “right to be forgotten” audit, while 25% do not know how long it would take. Data erasure software (48%) tops the list of the most valuable type of technology to ensure GDPR compliance, followed by encryption key removal tools (26%) and malware removal tools (10%). IT professionals inside and outside of Europe (65%) are keen to implement data protection laws similar to the framework of EU GDPR. [Security News]

US – PCI SSC Explains How to Respond to a Data Breach

Recently, the Payment Card Industry Security Standards Council (PCI SSC) published a three-page guide titled “Responding to a Data Breach” that articulates its position on the correct response to a security incident at a merchant location where the attack exposed cardholder data. The guidance also highlights some of the difficulties in developing proper response procedures, specifically the challenges in mapping out complete, thorough procedures that actually hold up under the stress of an actual incident. [Privacy Advisor]

WW – Known Vulnerabilities Cause 44% of All Data Breaches: Study

Most IT experts are well aware of the need to patch vulnerabilities in their systems as soon as possible, but despite this, known security issues remain the leading cause of corporate data loss and production downtime in the enterprise. That’s the biggest finding of BMC Software Inc.’s latest security survey, The Game Plan for Closing the SecondOps Gap. The report, which was conducted by Forbes Insights on behalf of BMC and surveyed more than 300 C-level executives from U.S. and European firms, found that known vulnerabilities are the leading cause of data breaches, accounting for 44 percent of all such incidents. [Source]

Surveillance

US – New York to Appoint Civilian to Monitor Police’s Counterterrorism Activity

The NY City mayor will appoint an independent civilian to monitor the New York Police Department’s counterterrorism activities, as they moved to settle a pair of lawsuits over surveillance targeting Muslims in the decade after the Sept. 11 attacks. With the settlement, the surveillance of Muslims becomes a chapter in the long history of controversial police tactics in New York. [New York Times]

EU – Belgian DPA Requests Opinion of US Surveillance Laws Under Schrems

The European Court of Justice (ECJ) failed to take into account numerous changes in U.S. surveillance practices when it invalidated the Safe Harbor program in the Schrems case, according to a report by Prof. Peter Swire. The Schrems decision reflected a “serious misunderstanding of U.S. national security law,” the report concluded. Swire finds that the U.S. legal order as related to privacy and surveillance is:

  • “essentially equivalent” to the EU’s,
  • that the ECJ came to the wrong conclusion regarding section 702 of the PRISM program, and
  • that the decision neglected the two dozen significant reforms the U.S. has made to its surveillance practice since 2013.

The Belgian Privacy Authority requested that the report answer two questions for a forum on the Schrems decision that it hosted:

  1. Is U.S. surveillance law fundamentally compatible with EU data protection law?
  2. What actions and reforms has the U.S. taken since Edward Snowden’s revelations of U.S. government surveillance began in June 2013? [More at BNA.com]

US – Why the Non-Malicious Insider Is Quickly Becoming a Huge Threat

Despite the steadily increasing number of enterprises adopting security software, which has proved important in enabling companies to more successfully secure and track sensitive data, there is a big missing link to tie all of these efforts together: employee education. According to a recent survey we conducted with CoSoSys customers, 35% of enterprise employees think that data security is not their responsibility. This is a serious issue when you consider that 70% of these employees have access to and use confidential company files. Additionally, 60% don’t even know which files are confidential or not. When you add disgruntled or recently fired employees whose system access had not yet been revoked to the mix, companies are leaving themselves open to a potentially devastating breach. [Source]

US Government Programs

US – New Student Database Slammed by Privacy Experts

The U.S. Education Department’s new planned system of records that will collect detailed data on thousands of students — and transfer records to private contractors — is being slammed by experts who say there are not adequate privacy safeguards embedded in the project. The non-profit Electronic Privacy Information Center, or EPIC, told the department in a January 2016 formal complaint that its new system of records for the “Impact Evaluation of Data-Driven Instruction Professional Development for Teachers” violates the Privacy Act by: (1) collecting irrelevant and unnecessary information and (2) not clearly stating the purpose of the proposed routine use disclosures. [Washington Post] [The astonishing amount of data being collected about your children]

US – Report: Feds Leave 42% of Cybersecurity Recommendations Undone

The Government Accountability Office discovered that out of its 2,000 recommendations on cybersecurity for federal agencies in the past six years, 840 remain undone, for a completion rate of 58%. This number contrasts greatly with the average completion rate for general recommendations of 80%. “Implementing this and other outstanding recommendations could better protect federal data and federal agencies’ responses to cyberattacks and data breaches,” the agency wrote in a blog post. [FedTech]

US Legislation

US – House Passes Substantial FOIA Reforms

Congress has passed the FOIA Oversight and Implementation Act, H.R. 653, which would limit exemptions that allow agencies to withhold public records, create an online portal for FOIA requests, and require agencies to post frequently requested documents. Open government advocates and members of Congress have criticized federal agencies for lax compliance with the Freedom of Information Act. The House Oversight Committee concluded that “[e]xcessive delays and redactions” have undermined the Act.” The FOIA Ombudsman criticized the Transportation Security Administration for its “weak management” and lack of a “FOIA tracking system.” EPIC has pursued many FOIA cases.EPIC and a coalition previously urged President Obama to strengthen the FOIA by committing to a “presumption of openness” and narrowing the use of FOIA exemptions. [Source]

Workplace Privacy

EU – EDPS Issues Guidelines on Work-Related Use of Mobile Devices

The European Data Protection Supervisor issues guidelines on protection of personal data in mobile devices (“devices”). The guideline examines risks for personal data processed on mobile devices (leakage of personal data and compromised credentials), applicable procedures for lifecycle management of devices (i.e. mobile device inventory and asset disposal), and necessary security measures, such as remote wipe and lock, user and application access restriction, secure logs and audit trails, full disk encryption, and application whitelists and blacklists. [EDPS – Guidelines on the Protection of Personal Data in Mobile Devices Used by European Institutions]

 

+++

1-8 January 2016

Big Data

US – FTC Issues Guidance on Big Data

The report looks at the end uses of that ubiquitous collection of data from a variety of sources after it has been analyzed and chronicles such upsides as boosting education, non-traditional access to credit, specialized healthcare and access to employment. But it also surveys risks, which it identifies as “inaccuracies” about certain groups, exposing sensitive information, targeting vulnerable consumers for fraud, increasing the price of goods in lower-income communities, and reducing consumer choice. [Broadcasting News] [Big Data: A Tool for Inclusion or Exclusion? Understanding the Issues] SEE ALSO: [Data in 2016: 5 Trends That Will Drive Big Data]

Canada

CA – IPC Recommendations to Protect PHI When Using Various Technologies

The IPC has provided guidance on best practices for protecting personal health information. When retaining PHI on mobile or portable devices, strong encryption should be used (keys should be of a sufficient length and error messages should be monitored and responded to immediately) and the device should have strong password protection (random string of letters, numbers and symbols). Shared electronic health record systems should have harmonized policies and procedures that address training, consent management, breach management, complaints and inquiries. [IPC Presentations From the 2015 PHIPA Summit]

Consumer

US – Pew Survey Indicates Confusion Over Online Data-Sharing Decisions

A new Pew Research Center survey indicates a “significant minority” of American adults have felt confusion about whether to share personal information with companies. The survey found that while 50% said they were confident they understood what would happen with the information they shared, 47% said they were not. 35% of respondents said they were discouraged with the effort required to try to understand data uses, while 38% said the information provided in various companies’ privacy policies confused them. 29% said they found themselves impatient in that they needed to make a decision quickly but felt they wanted to learn more. [Full Story]

US – Study Finds Simplified Privacy Notifications Ineffective

A new survey-based study by two University of Chicago Law professors published on the Social Science Research Network found that the simplification of privacy disclosures did not modify user behavior. “Simplification of disclosures is widely regarded as an important goal and is increasingly mandated by regulations in a variety of areas of the law,” said the study authors. “In privacy law, simplification of disclosures is near universally supported.” However, “our results reveal that none of the simplification techniques help inform respondents or affect their behavior. They call into further question the wisdom of focusing much regulatory effort on improved disclosures,” they continued. [Source]

Electronic Records

UK – NHS to Implement Platform that Integrates Imaging, Genomic Data

England’s National Health System will be implementing an integration platform that will link medical imaging and genomic data, with the intent of bringing together key information at the point of care. The NHS will be rolling out the system from Kanteron Systems that will allow NHS to have exclusive and unrestricted access to its medical imaging and genomic data integration platform. Kanteron is working with various technology partners that have significant business with U.S. healthcare providers. They include IBM, Microsoft and Hitachi Data Systems. Kanteron executives said the company will offer additional services, such as consulting, implementation, integration, migration, tech support and more, to support adoption of new clinical workflows. [Source]

Encryption

EU – Dutch Govt Rejects Backdoors in Encryption

The Dutch government has published a position paper in which it opposes the ideas of creating backdoors in encryption products. The paper says, in part, “The government believes that it is currently not appropriate to adopt restrictive legal measures against the development, availability, and use of encryption within the Netherlands.” The paper notes that placing backdoors in the products “would also make encrypted files vulnerable to criminals, terrorists, and foreign intelligence services.” [The Hill] [The Register] [Dutch government backs strong encryption to contradict UK stance] [Security experts support Dutch stance on encryption] [What lessons can the UK learn as the Dutch champion data encryption, oppose backdoors] See also: [David Chaum, the Father of Online Anonymity, Has a Plan to End the Crypto War] and [There’s a huge debate over an encryption expert’s plan solve the problem of online privacy]

EU Developments

EU – EU Commission Provides Overview of Data Protection Reform

The European Commission released a fact sheet regarding the impact of the “General Data Protection Regulation (the “Regulation”). The GDPR safeguards freedom of expression and historical/scientific data (through the right to be forgotten) and provides specific protection for children (parental consent required for processing of minors); the use of Big Data analytics is encouraged (through GDPR promotion of anonymization, pseudonymization and encryption), and the one-stop shop mechanism positively impacts companies (they only have to deal with 1 DPA, and will receive more consistent and faster decisions). [European Commission – Questions and Answers – Data Protection Reform] [PrivaWorks] Final drafts out of the trilogues: Final GDPR Text, December 15, 2015 | Final DPD Text, December 15, 2015] SEE ALSO: Top 10 operational impacts of the GDPR (IAPP Privacy Advisor): Part 1 – data security and breach notification | Part 2 – The mandatory DPO | Parts 3-10 TBD

EU – NIS + GDPR = A New EU Breach Regime

European lawmakers capped off a blockbuster week for privacy with an important step towards the first comprehensive information security legislation in the EU. The Network Information Security (NIS) Directive was initially proposed by the European Commission in February 2013 to raise cybersecurity capabilities across the EU’s 28 member states. After more than two years of negotiation, the European Council reached an informal agreement with the Parliament on December 7, and the agreed text was approved by the Member States December 18. The text now must undergo “technical finalisation,” and then needs to be formally approved by both the Council and the Parliament, which is expected, according to the Council, this spring. Member States will then have 21 months to implement the Directive into law, passing their own legislation in accordance with the Directive. The Directive aims to “increase cooperation between member states and lay down security obligations for operators of essential services and digital service providers,” according to a Council press release. To that end, it will require operators take measures to manage cyber risks and report security incidents. The Parliament and Council disagreed over which operators would be subject to the provisions. Ultimately, they extended the measures to operators of “essential services” and digital service providers. Perhaps most importantly for privacy and data protection professionals, the Directive introduces breach notification requirements that extend beyond those of the General Data Protection Regulation (GDPR). Unlike the GDPR, which mandates notification only when there is a risk to personal data, the Directive requires operators to notify competent authorities whenever there is a substantial impact on the provision of the operator’s service. Thus, while the GDPR includes security and notification provisions to protect personal data, the Directive seeks to improve security safeguards and the sharing of knowledge on cybersecurity threats. {IAPP Privacy Tracker]

EU – EDPS Releases Guidelines on E-Communications, BYOD

The European Data Protection Supervisor (EDPS) has published two sets of guidelines for EU institutions and bodies on personal data and electronic communications as well as personal data and mobile devices. The EDPS said the guidelines aim to help EU institutions comply with data protection rules, but they’re really applicable to any organization. In the guidelines, EDPS Giovanni Buttarelli said EU bodies looking to implement BYOD should look at the benefits of doing such processing “taking account of the risks and invasiveness that such use may imply.” [Press Release] SEE ALSO: [EDPS – Response to the Commission Public Consultation on the Regulatory Environment for Platforms, Online Intermediaries, Data and Cloud Computing and the Collaborative Economy]

EU – EDPS Opinion Calls for Enhanced Controls on Surveillance Tech

In a recently published opinion, European Data Protection Supervisor Giovanni Buttarelli called for enhanced controls on the export of technologies used for communications surveillance and interception. He said there is a “tension between the positive use of ICT tools and the negative impact that the misuse of technology can have on human rights, and especially on the protection of personal data and privacy.” Buttarelli said national and EU policies should address the tension but so should “all actors involved in the ICT sector.” [Full Story] See also: [EU privacy watchdog to set up ethics advisory group]

UK – ICO: Govt Should Not Have Right to Access Citizen’s Private Data

The UK government and security services shouldn’t have “willy-nilly” access to citizen’s digital communications and online activities, the Information Commissioner has warned. Such powers would represent an excessive invasion of privacy, he added. Christopher Graham made the comments while presenting evidence to a House of Lords Joint Committee on the draft Investigatory Powers Bill. The draft Bill – dubbed the “Snooper’s Charter” by critics – was introduced by Home Secretary Theresa May last year. It explicitly authorises security services to bulk-collect personal communications data and makes it illegal to even ask in court whether evidence was obtained via bulk surveillance. However, Graham warned that the legislation must not give the government carte blanche for collecting and storing citizen’s private data. “Simply by the fact that we’re all doing business, social actions and communications digitally, wherever we go, whatever we do; like it or not, we leave a digital trail,” he told the Joint Committee, and argued that data protection legislation requires much of this to remain private. “The challenge for the data protection framework is to make sure that remains private where it should be private.” Graham told the Committee that it shouldn’t be the case the state can access all of a citizen’s private data, just because it wants the power to do so. [Source] See also: [Facebook, Google, Twitter unite to attack ‘snoopers’ charter’] [UK mass surveillance ‘totalitarian’ and will ‘cost lives’, warns ex-NSA tech boss]

EU – German Federal DPA Completely Independent as of January 1, 2016

The federal German data protection authority (“DPA”) issued an update for 2016. A German law, effective January 1, 2016, establishes the federal DPA as the supreme federal authority (comparable to the Federal Court) and entirely independent, responsible only to Parliament; the DPA’s decisions are subject to judicial review. [DPA Germany – Update and Outlook for 2016]

Finance

CA – Investment Industry Regulator Issues Security Guide for Dealer Members

The Investment Regulatory Organization of Canada (“IIROC”) issued a guide for cyber incident management planning for small and mid-sized Dealer Members. The guide outlines possible causes of a cybersecurity incident, signs of possible information system compromise and recommendations for the phases of incident management (plan and prepare, detect and report, assess and decide, respond, and post-incident activity); an incident checklist is provided (whether there is a plan in place or not). [IIROC – Cyber Incident Management Planning Guide for IIROC Dealer Members]

FOI

CA – Law and Info Groups Challenge ‘Far-Reaching’ Retroactive Law

A retroactive Conservative law buried in last spring’s omnibus budget bill fundamentally undermines the rule of law and government access-to-information systems across Canada, according to court submissions in a paused constitutional challenge. Twelve of Canada’s 13 provincial and territorial information commissioners, as well as the Criminal Lawyers’ Association, are seeking intervener status in the case, which challenges the former government’s unprecedented rewrite of an old law to get the RCMP and any other government official off the hook for illegally destroying long gun registry records. The case, brought by federal information commissioner Suzanne Legault on behalf of individual Bill Clennett, is one of the messier legal challenges the new Liberal government will have to mop up in 2016. [GlobalNews]

CA – IPC Requires Ministry to Reveal Marijuana Grow-Op Info

This IPC order reviews the decision of the Ministry of Community Safety and Correctional Services to withhold records requested under FIPPA. Due to health and safety threats posed by properties formerly used for marijuana grow-operations, it is in the public interest for certain records to be released which provide address, dates and amounts of marijuana seized during OPP investigations; in the absence of sufficient evidence of an indoor marijuana grow-operation, the compelling public interest in disclosure of those records no longer exists and should not be disclosed to the public. [IPC ON – Order PO-3547 – Ministry of Community Safety and Correctional Services] See also: [Interim Order PO-3555 – IPC Upholds York University Decision to Deny Access to Security Reports]

CA – 2010 Olympic Records Are Not in Control of 3 Public Bodies: BC OIPC

This OIPC order reviews the decision reached by the City of Vancouver, the Resort Municipality of Whistler and the Ministry of Finance (collectively, the “public bodies”) relating to records requested pursuant to British Columbia’s Freedom of Information and Protection of Privacy Act. The Adjudicator agreed with the two municipalities and a government department that the records are not in their custody (e.g. Olympic committee bylaws determined the storage and inspection of the records) or control (e.g. the public body lacks the contractual authority to regulate the records’ use, disclosure and disposition). [OIPC BC – Order F15-65 – City of Vancouver, Resort Municipality of Whistler and the Ministry of Finance]

CA – Clayton: Post-Election Document Destruction Illegal

After an investigation of widespread document destruction by the Progressive Conservatives after losing an election to the NDP last year, Alberta Privacy Commissioner Jill Clayton and Public Interest Commissioner Peter Hourihan found that lack of oversight and accountability demonstrates the need for an overhaul of the province’s records management system. The joint investigation found that no one monitored the shredding of a vast amount of government documents. “Robust and accountable records management programs are critical to ensure Albertans can exercise their access to information rights,” Clayton wrote. “This investigation found there was confusion about the rules guiding records management, and there were no consequences for not following rules.” [Document shredding rules not followed after Alberta election, investigation finds] See also: [New details about Calgary healthcare workers privacy breach]

US – New Resource from ProPublica Aims to Simplify Info Access

ProPublica’s new online Policing Patient Privacy and HIPAA Helper tools allow the curious to stay on top of the healthcare privacy community’s goings-on as well as check to see if his or her hospital or healthcare provider was amongst the hacked. Among the newest stories in the Policing Patient Privacy database is a ProPublica report on the Department of Veterans Affairs mistakenly sending incorrect veteran data to war widows and an additional study on how companies rarely face serious consequences after repeated bungles. Meanwhile, the Department of Health and Human Services published a chart that ranks the top five healthcare privacy grievances by year, with “impermissible uses and disclosures” taking the top spot from 2004 through 2014. Healthcare records breached in 2015 topped 112 million. [ProPublica]

Genetics

JP – Gov’t Says Genomic Info Considered PII

A panel of Japanese experts has decided genomic information should be considered personal information under the newly revised privacy act approved in September. The information will now be classified just as digitized facial features and fingerprints are, and genomic data related to diseases will be considered highly sensitive personal information. The government plans to add rules this year to cover grey areas surrounding protecting genomic data. [Lawyer Herald]

Health / Medical

CA – IPC Issues Guidance on Use of Health Card Numbers

The IPC released a FAQ’s on the use of health cards and health numbers by healthcare professionals pursuant to the PHIPA. Individuals have a right to refuse to provide their health cards and health numbers to a person who is not a custodian (custodians are persons and organizations prescribed in the regulations permitted to collect, use or disclose health numbers), but disclosure must be voluntary; it is an offence under PHIPA to require the production of a health card, except if it is required by a person or organization that provides provincially funded health resources to the individual. [IPC – Health Cards and Health Numbers – The Personal Health Information Protection Act]

Horror Stories

US – Comcast to Pay Penalty of $19,850,000 for Multiple Privacy Violations

The Superior Court of the State of California issued a stipulated judgment filed by the California Attorney General (“Plaintiff”) against Comcast Cable Communication LLC (“Defendant”) for unlawful: disposal of customer information; and hazardous waste disposal practices. Customer records (name, address and phone number) were disposed of without being shredded, erased or made unreadable or indecipherable; the company must designate a Privacy Officer responsible for overseeing its customer record disposal procedure, train employees on the procedures and post prominent signage about the procedures at its facilities. A third party auditor must conduct random audits to evaluate compliance with the procedures within 18, 36 and 54 months. [The People of the State of California v Comcast Cable Communications LLC – Complaint and Stipulation for Entry of Final Judgment – Superior Court of the State of California – County of Alameda | Press Release ]

Identity Issues

US – IRS Provides Tax Break on Pre-Breach ID-Protection Programs

The IRS is offering new tax relief for employers that offer pre-breach identity-protection services for employees. According to IRS Announcement 2016-02, employers do not have to count the value of the protection service in an employee’s wages and gross income or report the amounts on a tax return. However, the new provision “does not apply to cash received in lieu of identity protection services,” the IRS wrote, and “does not apply to proceeds received under an identity theft insurance policy; the treatment of insurance recoveries is governed by existing law.” [BNA.com]

US – Backlash Encourages IRS to Kill Non-Profit Donor Data-Sharing Scheme

After receiving nearly 38,000 public complaints, the International Revenue Service (IRS) withdrew its proposal that would permit non-profits to collect the Social Security numbers of select donors. Although the IRS maintained that the program was created to safeguard donor privacy and keep reporting simple for non-profits, many were nonplussed, and the axing of the proposed system incited widespread celebration from groups like the Tea Party Patriots and the National Council of Nonprofits (NCN). “Nonprofits have neither the financial resources nor sufficient staffing to combat hackers who will see an easy source for Social Security information,” said the NCN CEO. “This also creates a liability nightmare for innocent nonprofits. … To be asked to share their address, their credit card number, and their Social Security number all in the same place would be enough to scare even the most committed donor to decline to give.” [The Daily Signal]

SG – Singapore DPA Recommends Use of Anonymization Methods

The data protection authority in Singapore issued an e-newsletter providing guidance on anonymization. Common anonymization techniques include masking (e.g. certain data details removed while preserving the essential look and feel of the data), pseudonymization (identifiable data replaced with randomly generated values from which an identity cannot be inferred), aggregation values (displayed as a total figure), replacement (average figure replaces a value), and data suppression (a range is used instead of specific values). [Personal Data Protection Commission, Singapore – Anonymisation: Managing Personal Data Protection Risk]

Internet / WWW

WW – Microsoft to Warn of State-Sponsored Attacks

Microsoft has revised its account breach notification policy to specify when it suspects that state-sponsored attackers have targeted a user’s email or cloud services account. While Microsoft already has a policy in place that calls for notifying users of account breaches, the decision to identify a breach as coming from a state-sponsored entity was made “because it is likely that the attack could be more sophisticated or more sustained than attacks from cybercriminals and others.” [SC Magazine] [Bloomberg] [Washington Post] SEE ALSO: [Microsoft failed to warn victims of Chinese email hack: former employees]

US – Free Public Wi-Fi in NYC

New York City plans to install 10,000 free public Wi-Fi hotspots. Once operational, the kiosks will provide 2.0 strength in a 150-foot radius, as well as USB chargers, touchscreen Internet access, and free phone calls within the US. The project expected to realize US $500 million in advertising revenue over 12 years. The plan calls for the first 500 kiosks to be up within the next six months; 4,500 additional hubs are expected to be established over the next four years. The system will be encrypted. [CS Monitor]

Law Enforcement

CA – BCCLA to OIPC: Audit Use of Mobile Cop Surveillance Towers

Micheal Vonn, policy director for the B.C. Civil Liberties Association, said she has concerns about the deployment by law enforcement of new tower cameras over the holidays — particularly whether they have the capability to see into people’s homes — but cautioned that the association hasn’t concluded such equipment is unnecessary. “What we don’t want to start out by saying is that this kind of camera could never be justified — that’s not our position,” Vonn said. “But given the sensitivity of the information regarding the deployments, how can we know when it’s being appropriately deployed?” Vonn suggested the BC OIPC  consider an audit to determine whether the tower camera, which is also used by Abbotsford police and some other local police forces, is being used in a manner that doesn’t infringe on residents’ privacy rights. [Vancouver Courier]

Online Privacy

The Privacy Advisor’s Top 10 Stories of 2015

Between the U.S. President’s historic visit to the Federal Trade Commission to identity, privacy and data protection as priorities this year to the European Court of Justice invalidating Safe Harbor and the European Commission introducing the privacy reform that will change the privacy landscape globally, it’s been quite a year for the privacy profession. Here’s a look back at the top 10 stories reported in The Privacy Advisor, ranked by the number of reads each story got.

  1. Obama Stops by FTC; Announces Privacy Bills on ID Theft, Student Data, Consumer Privacy
  2. Cookies Are So Yesterday; Cross-Device Tracking Is In
  3. Safe Harbor Invalid, Rules ECJ
  4. GDPR Is Here: What’s a Privacy Pro To Do Next?
  5. With Safe Harbor Invalid, What’s a Privacy Pro To Do?
  6. Third-Party Vendor Management Means Managing Your Own Risk
  7. Would a Law Degree Take Your Privacy Career to the Next Level?
  8. His Task? Start Up a Privacy Program at a Start-Up
  9. How To Operationalize the PIA
  10. FTC’s Security Guide: A Sure-Fire Way To Stay Out of Trouble?

[Source] See also: [Why 2015 Was a Historic Year for Privacy]

US – Judge Allows Class-Action Against Yahoo to Proceed

In Chicago, a federal judge allowed a class-action lawsuit against Yahoo to proceed, which could make Yahoo liable for up to $1,500 in damages for each text message it sent to non-Yahoo customers on Sprint’s wireless network in March 2013. The suit claims Yahoo violated telecom rules by sending users who signed into Yahoo Messenger a follow-up text even though users had not given consent to be contacted. Yahoo could pay up to $750 million total “given that as many as 500,000 people could be covered in the class-action,” [Washington Post]

Privacy (US)

US – DHS Offers Drone Privacy Best Practices

The Department of Homeland Security Unmanned Aircraft Systems Privacy, Civil Rights and Civil Liberties Working Group has released 15 best practices for government agencies working with the emerging technology. In a joint statement, the co-chairs of the working group write, “The DHS Working Group neither proposes nor intends that this document regulate any other government entity. Our goal, rather, is simply to share the best practices we have identified as helping to sustain privacy, civil rights, and civil liberties throughout the lifecycle of an unmanned aircraft systems program.” The ACLU, however, said the guidelines are vague on data retention limits of collected data. [Federal News ERadio] See also: [UK Police to use drones for burglaries, sieges, protests] See also: [Drone Law Journal Launched]

US – DHS Releases New Year’s Resolutions for Privacy

The Department of Homeland Security’s Privacy Office reflects on its privacy progress while postulating on the future within its 2015 review. The office shed light on its involvement with the U.S.-Canada Beyond the Border Action Plan and the U.S.-E.U. Data Protection and Privacy Agreement. Among its 2016 plans is a DHS mobile app privacy policy and involvement in the Automated Indicator Sharing Initiative, in which the office will aim to “develop an automated, near-real-time capability and process for the Department of Cybersecurity and Communications Integration Center, to send and receive cyber threat indicators from government and private organizations.”[Federal News Radio reports]

US – CRS Sheds Light on Enforcement Authority in Data Breach Legislation

Most of the bills would task FTC with most of the enforcement duties, said a recent CRS report, but the legislation differs on whether the FCC should retain its existing enforcement authority over data security and breach notification for telecommunication providers. The transparency group Federation of American Scientists obtained the report and made it publicly available. [FierceGovtIT] See also: [LabMD and Wyndham Decisions Curtail FTC’s Data Privacy and Security Reach]

US – PrivacyCon to Hit Washington Jan 14

The FTC has announced the full agenda for PrivacyCon, a free and publicly accessible event, on January 14. Industry delegates, researchers, and government representatives will convene in Washington to discuss privacy and data protection research from a broad collection of academics. Among the research presentations is Cornell researcher Vitaly Shmatikov’s discovery that due to “subtle bugs,” some ads now have the ability to report a user’s medication usage and sexual preference, as well as his or her location. Registration for the event is on a “first come, first serve” basis. This event will be webcast [Source]

US – Data Privacy Day Observed by NCSA with State of Privacy Event

The National Cyber Security Alliance (NCSA) is hosting a State of Privacy event at the Pew Charitable Trusts in Washington on January 28, more formally known as Data Privacy Day. Speakers like the FTC’s Julie Brill and EDPS Giovanni Buttarelli, among others, will discuss both “consumers’ view on privacy” and “developing a sustainable big data ecosystem.” The free and publicly accessible event aims to “initiate a practical and solutions-focused dialogue addressing the current state and future of privacy.” [Full Story]

Security

WW – 10 Data Security Trends That Will Impact You in 2016

Considering the events of the past year, here’s my take on trends and predictions for 2016.

  1. Consolidation of IT Security: The IT marketplace wants fewer vendors, not more.”
  2. The Internet of Things to Run Rampant: 6.4 billion connected “things” will be in use globally by the end of 2016 – up 30% from 2015 – and that number is expected to reach 20.8 billion by the year 2020.
  3. Responsible Disclosure: The upcoming year could bring about fundamental changes in how security researchers discover, prove, report and address vulnerabilities.
  4. Security Awareness to Expand to Consumers: In order to combat internal breaches, companies are providing their employees with cyber security awareness training.
  5. Data Breaches to Cause Extensive Implications: In the past, there have been significant delays in victims noticing the effects of a data breach – if at all. That is, until the hack of Ashley Madison, which highlighted the extent to which the personal and professional lives of a large group of people could be negatively impacted by a data breach.
  6. Privacy Regulations: With the ongoing debates around privacy regulation in Europe, security will undoubtedly be included in the conversation. Of particular note will be discussions around the case of Safe Harbor and how such European rulings will affect the global transfer and storage of personal data.
  7. SMBs to Invest More in Security: Cybercriminals are increasingly targeting SMBs because they’re seen as less secure, while oftentimes owning valuable customer data. Ransomware’ tops the list of company concerns for SMBs, and instances of cyber attacks targeting SMBs will continue to grow.
  8. Cloud Security to See Increased Shared Responsibility: Deploying a cloud-based IaaS, PaaS or SaaS provider can be a good business and security investment for companies with limited IT resources. However, companies must also understand that simply hosting in the cloud does not absolve them of security responsibilities.
  9. Incident Response to See Improvements: The onslaught of high-profile breaches has created a greater need for companies to respond to breaches in a timely manner.
  10. Collaboration Amongst Community to Increase: More than ever, security professionals are utilizing tools and platforms in order to better share and collaborate on security research and uncovering and responding to threats..

[Source] SEE ALSO: [DarkReading: 15 Cybersecurity Lessons We Should Have Learned From 2015, But Probably Didn’t] [Information Week: Top Data Privacy Issues to Scare You in 2016] [Wired: The Biggest Security Threats We’ll Face in 2016]  [CSO Online: Five Cybersecurity Names to Follow in 2016] [Data in 2016: 6 Changes to Expect in Security, Cloud and Mobile Tech]

Smart Cars

WW – Data Communication Modules Coming to 2017 Toyotas

Toyota announced that select 2017 model vehicles worldwide would employ “data communication modules” (DCM) that will connect the cars to “Toyota’s Big Data Center.” While the extent of the DCM’s application will vary from model to model, all cars will have, at minimum, an emergency alert reporting system that activates when the airbag is deployed. Other features are still a mystery, but Toyota did disclose that its data center will “analyze and process data collected by DCM, and use it to deploy services under high-level information security and privacy controls,” it said in a statement. [The Verge]

Surveillance

EU – Irish DPA Requires Transparency When Using Body Worn Cameras

The Irish Data Protection Authority released guidance on the use of body worn cameras, pursuant to the Data Protection Act. Individuals should be clearly informed of the use of body cameras, and clearly informed of all the purposes, who will have access to this information, and how long the images will be retained, mount conspicuous signage in the area in which the camera is operation, and the person operating the body worn camera should be visually identifiable (where possible/practicable, announce to the subjects of an encounter that video and audio recording is taking place using a body worn camera). [DPA Ireland – Guidance on the Use of Body Worn Cameras]

Telecom / TV

US – 2016’s Big Surveillance-Privacy Cases

It’s been 2.5 years since the first Snowden revelations were published. And in 2015, government surveillance marched on in both large (NSA) and small (the debut of open source license plate reader software) ways. Within the past year, Congress voted to end Section 215 of the Patriot Act—but then substituted it with a similar law (USA Freedom Act) that leaves the phone metadata surveillance apparatus largely in place even if the government no longer collects the data directly. Even former NSA Director Michael Hayden admitted in June 2015 that this legal change was pretty minor. We also saw some notable 2015 reforms as to how federal law enforcement uses stingrays, the invasive cell-phone surveillance devices in use by everyone from local cops all the way up to the FBI, DHS, and the IRS. The Department of Justice (the parent agency of the FBI) and DHS both announced new policies that require the agencies to get a warrant prior to deploying the snooping device. California Cops, Want To Use A Stingray? Get A Warrant, Governor Says: In October 2015, America’s most populous state implemented the California Electronic Communications Privacy Act. Among other reforms, this act imposed a warrant requirement for the state’s cops when using a cell-site simulator. Other states that already have similar laws include Washington, Virginia, Minnesota, and Utah. But perhaps 2015’s most notable surveillance happenings took place in the court room. Last year, we summarized five cases and trumpeted: “If the Supreme Court tackles the NSA in 2015, it’ll be one of these five cases.”

US Legislation

US – Key U.S. Cybersecurity Provisions Signed into Law

Last month, tucked into a 2,000-page spending bill, the Cybersecurity Information Sharing Act of 2015 (CISA) was enacted into law. Hogan & Lovells have summarized key cybersecurity provisions. The main goal of CISA is to encourage organizations to share information with the government about the cybersecurity threats they face and to help strengthen the mechanisms via which such information is disseminated to other organizations to help them improve their cyber defenses. Despite overwhelming support in Congress and backing from many in the private and public sectors, questions remain about some provisions in CISA, including whether privacy safeguards are adequate and whether liability protections are sufficient to allay organizations’ fears of being sued based on their participation in information sharing. How these issues are resolved will help determine whether CISA will make a real difference in the way organizations share, receive, and use cybersecurity information. [IAPP Privacy Tracker]

+++